Hacker drains $2.8m from yEarn.Finance DeFi pool

On February 5, the yEarn.Finance team discovered and fixed a vulnerability in the v1 yDAI pool. An unknown attacker managed to withdraw part of the funds.

We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow.

— yearn.finance (@iearnfinance) February 4, 2021

Lead developer of yEarn.Finance, known as banteg, said that the attacker gained around $2.8m, and the pool lost $11m.

Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC and USDT vaults while we investigate. pic.twitter.com/1RWYyu0d5m

— banteg (@bantg) February 4, 2021

Deposits in DAI, TUSD, USDC and USDT were disabled during the investigation.

First to notice the problem were members of the обратили внимание subreddit r/yearn_finance. Later, The Block analyst Igor Igamberdiev explained that the attacker used flash loans.

Ok, new DeFi exploit.

Victim:
— @iearnfinance

Attacker profit:
— 513k DAI
— 1.7M USDT
— remaining 506k 3CRV (~$1)

To obtain such a profit, the attacker executed 11 transactions.
Below is a very superficial explanation of what was happening in these transactions👇

— Igor Igamberdiev (@FrankResearcher) February 4, 2021

According to Igamberdiev, the attacker turned to DeFi platforms dYdX and Aave — there he borrowed 116,000 ETH and 99,000 ETH respectively. He also used Ethereum as collateral to borrow 134 million USDC and 129 million DAI through Compound.

1/ Flash loaned 116k ETH from dYdX

Victim:
— @iearnfinance

Attacker profit:
— 513k DAI
— 1.7M USDT
— remaining 506k 3CRV (~$1)

To obtain such a profit, the attacker executed 11 transactions.
Below is a very superficial explanation of what was happening in these transactions👇

— Igor Igamberdiev (@FrankResearcher) February 4, 2021

The analyst described the next steps as follows: the attacker added 134 million USDC and 36 million DAI to the 3crv Curve pool, withdrew 165 million USDT from the 3crv Curve pool. The following actions were repeated five times:

• deposited 93 million DAI into the yDAI vault (each time less);
• added 165 million USDT to the 3crv pool;
• withdrew 92 million DAI from the yDAI vault (each time less);
• withdrew 165 million USDT from the 3crv pool.

Then he withdrew 39 million DAI and 134 million USDC instead of USDT, repaid the Compound debt and the flash loans.

— Deposit 93M DAI to yDAI vault (less w/ each time)
— Add 165M USDT to 3crv pool
— Withdraw 92M DAI from yDAI vault (less w/ each time)
— Withdraw 165M USDT from 3crv pool
7/ In the last time withdraw 39M DAI and 134M USDC instead USDT
8/ Repay Compound debts
9/ Repay flash loans

— Igor Igamberdiev (@FrankResearcher) February 4, 2021

Aave head Stani Kulechov cited Etherscan data showing that total transaction fees paid by the attacker exceeded $5,000.

Complex exploit with over 160 nested transactions transactions and 8,6 mm gas used (around 75% of the block) resulted to 2.7 mm USD loss 🤯 https://t.co/WdqMGTuBQF https://t.co/MoaZIfGKGa

— stani.eth 👻 v2 is live 👻 (@StaniKulechov) February 4, 2021

«Сложный эксплойт с более чем 160 вложенными транзакциями и 8,6 млн единиц использованного газа (около 75% блока)», — написал Кулечов.

Investor Julien Thevenard noted that as a result of the operation Curve Finance stakers earned about $3.5m.

In this exploit, the arber got away with $2.8M and @CurveFinance stakers received over $3M … https://t.co/TV7u2VM4BU pic.twitter.com/NgyIyjpbwC

— Julien Thevenard (@JulienThevenard) February 4, 2021

As of writing, the DeFi token YFI was trading at $32,267. According to CoinGecko, in the last 24 hours the coin fell 4.2%.

At the end of 2020, yEarn.Finance founder Andre Cronje unveiled a new DeFi project — yCredit. Later, developers discovered in it a critical vulnerability, enabling the withdrawal of all user funds.

In October 2020, the attacker used $24m in stablecoins from Harvest Finance pools to withdraw $19.8m in renBTC.

In November, an unknown withdrawn $6m in DAI and USDC as part of a “complex attack” on the Value DeFi project’s MultiStables vault, using an 80 000 ETH flash loan via the Aave platform.

In the same month, the DeFi protocol SushiSwap lost between $10,000 and $15,000 due to a vulnerability.

Subscribe to ForkLog news on the Facebook!