Yearn.Finance decentralized finance project (DeFi) was exploited, during which the v1 yDAI vault lost about $ 11 million in digital assets. The exploit has already been eliminated.
The Yearn.Finance project allows you to engage in “profitable farming”: users add their digital assets to pools and receive interest for it. The platform has recently updated its repositories, but smart contracts have remained unchanged. According to DeFi Pulse, Yearn.Finance has been entrusted with $ 500 million in assets.
Users of the Yearn Discord and Telegram channels began reporting leaks on February 4, in the afternoon. One user wrote: “Does anyone know why I have it written that I have lost thousands of DAI in the last few minutes?” In addition, a 1,059% loss notification has been added to the repository user interface on Yearn.Finance.
Yearn.Finance also reported the attack on Twitter. Later a developer under the pseudonym banteg wrotethat the organizer of the attack managed to get away with $ 2.8 million, and the v1 yDAI vault lost assets worth about $ 11 million. Deposits in DAI, TUSD, USDC and USDT were deactivated for the duration of the investigation.
After the attack became known, Twitter user UniWhales DAO reported about a large sale of YFI for ETH. The cryptocurrency dropped in price by more than $ 5,000 – from $ 34,979 to $ 29,580. Then the YFI rate gradually recovered to $ 31,500.
At the time of the attack, all funds were deposited in 3pool on the Curve platform. 3pool houses DAI, USDT and USDC, allowing users to exchange stablecoins for other limited slippage assets.
According to Mikhail Yegorov, CEO of Curve, someone invested “a lot of money” in 3pool to manipulate the price of DAI. The vault relied on this price, and after the attack, the contract was terminated. Such actions were repeated several times, and the attacker managed to take the borrowed funds.
Egorov added that this problem is well known and shared his thoughts with the Yearn.Finance team on how to prevent such vulnerabilities.
Recall that in September, the founder of Yearn.Finance, Andre Cronje, launched the Eminence game protocol, but due to a critical vulnerability, investors lost $ 15 million.