On Thursday (February 4, 2021), an unknown entity reportedly stole $2.8 million from a shared digital or online vault via the investment platform Yearn.Finance. The hacker(s) exploited the vault using Aave, a decentralized finance (DeFi) platform that lets investors make flash loans. These DeFi solutions mainly work by providing a rapid borrowing and repaying of money without the need for putting up collateral.
The team at Yearn.Finance has released a detailed post-mortem report regarding the recent exploit. Tether Ltd, the world’s largest stablecoin issuer, has also frozen $1.7 million in USDT that was allegedly involved in this security breach, Tether CTO Paolo Ardoino confirmed.
The Yearn.Finance team had first confirmed that they had suffered an exploit in one of their stablecoin DAI lending pools. Then at 5:14 p.m. ET, banteg from the Yearn.Finance team, had posted in their Discord channel that the attacker “got away with 2.8m, dai vault lost 11.1m.”
An Aave flash loan had been issued in order to trigger the vault draining, according to an Ethereum address that may be linked with the attack. Notably, Yearn.Finance is one of the leading DeFi platforms and has now become well-known for enabling depositors to recover all their yield or returns from tokens they’ve deposited. Yearn had performed updates to its vaults, however, just like many other smart contract platforms, the prior smart contracts have persisted.
DeFi Pulse data shows that Yearn has just over $480 million worth of assets locked in its contracts. On version 1 of the DeFi platform, many of Yearn’s lending pools have consistently been earning annual yields of more than 20%.
Users active on Yearn’s Discord and Telegram channels had initially reported the hacking incident and related drains on Thursday (February 4, 2021) afternoon. At around 4:38 p.m. ET in the Yearn Discord server, Jeffrey Bongos had asked whether people knew why the v1Dai vault had been showing that they’ve lost a large amount of Dai in a few minutes. And just after 5 p.m. ET, the front end of the v1 DAI vault on Yearn’s website had been displaying a loss of over 1,000%.
Yearn’s YFI governance token saw its price plummet to $4,000 following the security breach but the token is trading at above $31,000 at the time of writing. The price drop appeared to have come after the exploit became known to the general public (which was when the UniWhales Twitter account had reported a major sale of YFI for ETH).
— UniWhales DAO (@uniwhalesio) February 4, 2021
The vault attacked was reportedly Yearn’s v1 DAI vault, which had updated to a new investment strategy in January 2021.
The vault’s strategy when the attack took place was to deposit all funds into the “3pool” on the automated market maker Curve which holds various stablecoins including DAI, USDT and USDC, and lets platform users swap any of these digital assets for each other at really low slippage.
Michael Egorov, CEO at Curve, had explained that a bad actor had deposited to Curve 3pool in order to manipulate the DAI price provided by the pool.
The vault had somehow depended on the DAI price provided by this pool. Then the contract had been withdrawn following the exploit and repeated numerous times taking flash-borrowed funds, Egorov added. He explained that this is a well-documented problem which could potentially be seen in other protocols such as Uniswap, but the leading ERC-20 token exchange is not used as frequently for yield farming purposes.
Egorov added that he has conveyed his views regarding this issue to the team at Yearn.Finance and how this problem may be prevented along with other similar exploits. However, he acknowledged that he had not expected them to make this type of mistake when writing the code.
As summarized in the post-mortem report:
“An exploit against Yearn’s v1 yDAI vault has led to 11m DAI of vault deposits being lost. Acting in roughly 11 minutes, Yearn’s security team and multi-sig wallet signers were able to stop the exploit while it was underway, saving 24m DAI out of the vault’s total 35m DAI deposits. By creating exchange rate imbalances in Curve’s 3pool, an exploiter was able to cause Yearn’s yDAI vault to deposit and withdraw funds from 3pool at unfavorable rates across a series of transactions.”
The report further noted:
“The exploiter profited from the loss by holding a good portion of the Curve 3pool during the attack, and withdrawing to a combination of USDT, DAI, and ETH. It is estimated to have resulted in a 2.7m DAI profit.”
It’s worth noting that even though the attacker stole Yearn valued at $11 million, it took large amounts in fees for them to carry out the exploit. They were “only” able to make $2.7 million in profits, while the liquidity pool fees and staker fees during the hack came to $3.5 million each. Aave v2 fees were around $1.4 million.