Decentralized finance (DeFi) yield aggregator yearn.finance (YFI) reveals the details of a hacking incident that caused a total loss of $11 million to the network.
According to Yearn’s vulnerability disclosure posted on GitHub Thursday, yearn.finance creator Andre Cronje noticed odd patterns in a contract interacting with the platform’s vaults at 21:45 UTC on February 4th.
Upon further examination, the complex and concerning transaction turned out to be an active exploit of the v1 yDAI vault.
Yearn says the attacker caused the compromised vault to deposit and withdraw funds from the automated market maker (AMM) Curve’s 3pool at unfavorable rates.
“At a high level, the exploiter was able to profit through the following steps:
Debalance the exchange rate between stablecoins in Curve’s 3CRV pool.
Make the yDAI vault deposit into the pool at an unfavorable exchange rate.
Reverse the imbalance caused in step 1.”
The security team mitigated the exploit in 11 minutes. Yearn says the quick response saved 24 million of the vault’s 35 million DAI under management.
Despite the team’s quick work, yearn.finance developer banteg says the attacker managed to get away with some deposited funds in the pool.
Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate. pic.twitter.com/1RWYyu0d5m
— banteg (@bantg) February 4, 2021
As for the cause of the attack, yearn.finance reports that a confluence of three factors led to the vulnerability.
“[First], the hacked vault’s slippage protection was set too loose at 1%. [Second], the normal 0.5% withdrawal fee was set to 0%, to encourage migrations to v2 vaults without incurring costs. [And third], this being a v1 vault, the exploiter was able to call earn() and push deposits into the vault’s strategy at will.”
Don’t Miss a Beat – Subscribe to get crypto email alerts delivered directly to your inbox
Follow us on Twitter, Facebook and Telegram
Disclaimer: Opinions expressed at The Daily Hodl are not investment advice. Investors should do their due diligence before making any high-risk investments in Bitcoin, cryptocurrency or digital assets. Please be advised that your transfers and trades are at your own risk, and any loses you may incur are your responsibility. The Daily Hodl does not recommend the buying or selling of any cryptocurrencies or digital assets, nor is The Daily Hodl an investment advisor. Please note that The Daily Hodl participates in affiliate marketing.
Featured Image: Shutterstock/Tithi Luadthong