Yearn Finance Suffers $11.1 Mln Hack - Market Update.
2021-02-05 | Robin Williams

Yearn Finance has suffered an exploit in
one among its DAI lending pools,
consistent with the DeFi [Decentralized Finance] protocol’s official Twitter account
announcement.
Within an official update from the Yearn team, tweeted in
Discord: “Attacker got away with 2.8 Mln, dai vault lost $11.1 Mln.”
An Aave flash loan was
employed to trigger the vault draining,
consistent with an
Ethereum address presumed to be
related to the exploit.
Yearn Finance is
one of the leading venues in DeFi, known for always permitting depositors to recoup all their yield
within the token they initially deposited. The platform recently updated to
a new suite of vaults, but
like all smart contract platforms, the prior smart contracts persisted.
Consistent with DeFi Pulse, Yearn presently has $500 Mln worth of assets entrusted
thereto. Even on version 1, many of its pools earn annual yields of
overflow 20%.
Users
within the Yearn Discord and Telegram channels began circulating earlier on Thursday afternoon. At 4:38 p.m. ET
within the Yearn Discord server, Jeffrey Bongos added, “Anyone knows why v1Dai vault is showing that I’ve lost thousands of Dai
within the earlier couple of minutes?”
After 5 p.m. ET, the
front of the v1 DAI vault on the Yearn website illustrated a loss of 1059%.
Yearn’s YFI governance token had a
price drop of $4k on the news. Just after the attack became public, the UniWhales Twitter account reported
an outsized sale of YFI for ETH:
The vault attacked was Yearn’s v1 DAI vault, which updated to
a new investment strategy last month,
consistent with the official web-blog post revealed by the Yearn team on 23
rd Jan.
The vault’s strategy at the time of the attack was to deposit all funds into the “3pool” on the AMM [Automated Market Maker] Curve. Curve’s 3pool consists of DAI, USDT, and USDC, permitting users to
swap any of the stablecoins
for an additional at very low slippage.
“In a nutshell, someone deposited a bunch to Curve 3pool
to control DAI price given by the pool,” Curve CEO Michael Egorov explained. “Vault somehow was
counting on the DAI price given by this pool. Then the contract withdrew after the attack. And repeated
repeatedly taking flash-borrowed funds.”
Adding further, Egorov explained:
"That's a documented issue [one could have it with Uniswap, too, however, Uniswap isn't so popular for yield farming]. I've expressed my thoughts to yearn team on how this might have prevented [and similar vulnerabilities, too]. But honestly, didn't expect them to possess such an error within the code, that was a surprise to me."
Leave a comment
Your email address will not be published. Required fields are marked *