{"id":35893,"date":"2021-02-05T11:14:03","date_gmt":"2021-02-05T09:14:03","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=35893"},"modified":"2025-08-29T03:30:04","modified_gmt":"2025-08-29T00:30:04","slug":"hacker-drains-2-8m-from-yearn-finance-defi-pool","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hacker-drains-2-8m-from-yearn-finance-defi-pool\/","title":{"rendered":"Hacker drains $2.8m from yEarn.Finance DeFi pool"},"content":{"rendered":"<p>On February 5, the yEarn.Finance team discovered and fixed a vulnerability in the v1 yDAI pool. An unknown attacker managed to withdraw part of the funds.<\/p>\n<p><!--more--><\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow.<\/p>\n<p>\u2014 yearn.finance (@iearnfinance) <a href=\"https:\/\/twitter.com\/iearnfinance\/status\/1357451290561937408?ref_src=twsrc%5Etfw\">February 4, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Lead developer of yEarn.Finance, known as banteg, said that the attacker gained around $2.8m, and the pool lost $11m.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC and USDT vaults while we investigate. <a href=\"https:\/\/t.co\/1RWYyu0d5m\">pic.twitter.com\/1RWYyu0d5m<\/a><\/p>\n<p>\u2014 banteg (@bantg) <a href=\"https:\/\/twitter.com\/bantg\/status\/1357453626847952896?ref_src=twsrc%5Etfw\">February 4, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Deposits in DAI, TUSD, USDC and USDT were disabled during the investigation.<\/p>\n<p>First to notice the problem were members of the <a href=\"https:\/\/www.reddit.com\/r\/yearn_finance\/comments\/lcr13x\/yearn_dai_vault_is_acting_weird\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">\u043e\u0431\u0440\u0430\u0442\u0438\u043b\u0438 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435<\/a> subreddit r\/yearn_finance. Later, The Block analyst Igor Igamberdiev explained that the attacker used flash loans.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p dir=\"ltr\" lang=\"en\">Ok, new DeFi exploit.<\/p>\n<p>Victim:<br \/>\n\u2014 <a href=\"https:\/\/twitter.com\/iearnfinance?ref_src=twsrc%5Etfw\">@iearnfinance<\/a><\/p>\n<p>Attacker profit:<br \/>\n\u2014 513k DAI<br \/>\n\u2014 1.7M USDT<br \/>\n\u2014 remaining 506k 3CRV (~$1)<\/p>\n<p>To obtain such a profit, the attacker executed 11 transactions.<br \/>\nBelow is a very superficial explanation of what was happening in these transactions\ud83d\udc47<\/p>\n<p>\u2014 Igor Igamberdiev (@FrankResearcher) <a href=\"https:\/\/twitter.com\/FrankResearcher\/status\/1357464851531116544?ref_src=twsrc%5Etfw\">February 4, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to Igamberdiev, the attacker turned to DeFi platforms dYdX and Aave \u2014 there he borrowed 116,000 ETH and 99,000 ETH respectively. He also used Ethereum as collateral to borrow 134 million USDC and 129 million DAI through Compound.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p dir=\"ltr\" lang=\"en\">1\/ Flash loaned 116k ETH from dYdX<\/p>\n<p>Victim:<br \/>\n\u2014 <a href=\"https:\/\/twitter.com\/iearnfinance?ref_src=twsrc%5Etfw\">@iearnfinance<\/a><\/p>\n<p>Attacker profit:<br \/>\n\u2014 513k DAI<br \/>\n\u2014 1.7M USDT<br \/>\n\u2014 remaining 506k 3CRV (~$1)<\/p>\n<p>To obtain such a profit, the attacker executed 11 transactions.<br \/>\nBelow is a very superficial explanation of what was happening in these transactions\ud83d\udc47<\/p>\n<p>\u2014 Igor Igamberdiev (@FrankResearcher) <a href=\"https:\/\/twitter.com\/FrankResearcher\/status\/1357464851531116544?ref_src=twsrc%5Etfw\">February 4, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The analyst described the next steps as follows: the attacker added 134 million USDC and 36 million DAI to the 3crv Curve pool, withdrew 165 million USDT from the 3crv Curve pool. The following actions were repeated five times:<\/p>\n<ul>\n<li>deposited 93 million DAI into the yDAI vault (each time less);<\/li>\n<li>added 165 million USDT to the 3crv pool;<\/li>\n<li>withdrew 92 million DAI from the yDAI vault (each time less);<\/li>\n<li>withdrew 165 million USDT from the 3crv pool.<\/li>\n<\/ul>\n<p>Then he withdrew 39 million DAI and 134 million USDC instead of USDT, repaid the Compound debt and the flash loans.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\">\n<p dir=\"ltr\" lang=\"en\">\u2014 Deposit 93M DAI to yDAI vault (less w\/ each time)<br \/>\n\u2014 Add 165M USDT to 3crv pool<br \/>\n\u2014 Withdraw 92M DAI from yDAI vault (less w\/ each time)<br \/>\n\u2014 Withdraw 165M USDT from 3crv pool<br \/>\n7\/ In the last time withdraw 39M DAI and 134M USDC instead USDT<br \/>\n8\/ Repay Compound debts<br \/>\n9\/ Repay flash loans<\/p>\n<p>\u2014 Igor Igamberdiev (@FrankResearcher) <a href=\"https:\/\/twitter.com\/FrankResearcher\/status\/1357464855331155971?ref_src=twsrc%5Etfw\">February 4, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Aave head Stani Kulechov cited Etherscan data showing that total transaction fees paid by the attacker exceeded $5,000.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Complex exploit with over 160 nested transactions transactions and 8,6 mm gas used (around 75% of the block) resulted to 2.7 mm USD loss \ud83e\udd2f <a href=\"https:\/\/t.co\/WdqMGTuBQF\">https:\/\/t.co\/WdqMGTuBQF<\/a> <a href=\"https:\/\/t.co\/MoaZIfGKGa\">https:\/\/t.co\/MoaZIfGKGa<\/a><\/p>\n<p>\u2014 stani.eth \ud83d\udc7b v2 is live \ud83d\udc7b (@StaniKulechov) <a href=\"https:\/\/twitter.com\/StaniKulechov\/status\/1357453837213331459?ref_src=twsrc%5Etfw\">February 4, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote>\n<p>\u00ab\u0421\u043b\u043e\u0436\u043d\u044b\u0439 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442 \u0441 \u0431\u043e\u043b\u0435\u0435 \u0447\u0435\u043c 160 \u0432\u043b\u043e\u0436\u0435\u043d\u043d\u044b\u043c\u0438 \u0442\u0440\u0430\u043d\u0437\u0430\u043a\u0446\u0438\u044f\u043c\u0438 \u0438 8,6 \u043c\u043b\u043d \u0435\u0434\u0438\u043d\u0438\u0446 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u0433\u0430\u0437\u0430 (\u043e\u043a\u043e\u043b\u043e 75% \u0431\u043b\u043e\u043a\u0430)\u00bb, \u2014 \u043d\u0430\u043f\u0438\u0441\u0430\u043b \u041a\u0443\u043b\u0435\u0447\u043e\u0432.<\/p>\n<\/blockquote>\n<p>Investor Julien Thevenard noted that as a result of the operation Curve Finance stakers earned about $3.5m.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">In this exploit, the arber got away with $2.8M and <a href=\"https:\/\/twitter.com\/CurveFinance?ref_src=twsrc%5Etfw\">@CurveFinance<\/a> stakers received over $3M \u2026 <a href=\"https:\/\/t.co\/TV7u2VM4BU\">https:\/\/t.co\/TV7u2VM4BU<\/a> <a href=\"https:\/\/t.co\/NgyIyjpbwC\">pic.twitter.com\/NgyIyjpbwC<\/a><\/p>\n<p>\u2014 Julien Thevenard (@JulienThevenard) <a href=\"https:\/\/twitter.com\/JulienThevenard\/status\/1357460810633773061?ref_src=twsrc%5Etfw\">February 4, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>As of writing, the DeFi token YFI was trading at $32,267. According to CoinGecko, in the last 24 hours the coin fell 4.2%.<\/p>\n<p>At the end of 2020, yEarn.Finance founder Andre Cronje unveiled <a href=\"https:\/\/forklog.com\/en\/news\/andre-cronje-founder-of-yearn-finance-unveils-new-defi-project-ycredit\">a new DeFi project<\/a> \u2014 yCredit. Later, developers discovered in it <a href=\"https:\/\/forklog.com\/en\/news\/critical-vulnerability-found-in-new-defi-protocol-from-yearn-finance-founder\">a critical vulnerability<\/a>, enabling the withdrawal of all user funds.<\/p>\n<p>In October 2020, the attacker <a href=\"https:\/\/forklog.com\/en\/news\/hacker-drains-19-8m-from-harvest-finance-as-farm-price-falls-more-than-50\">used $24m in stablecoins<\/a> from Harvest Finance pools to withdraw $19.8m in renBTC.<\/p>\n<p>In November, an unknown <a href=\"https:\/\/forklog.com\/en\/news\/value-defi-project-loses-6-million-in-flash-loan-attack\">withdrawn $6m<\/a> in DAI and USDC as part of a &#8220;complex attack&#8221; on the Value DeFi project\u2019s MultiStables vault, using an 80 000 ETH flash loan via the Aave platform.<\/p>\n<p>In the same month, the DeFi protocol SushiSwap <a href=\"https:\/\/forklog.com\/en\/news\/defi-protocol-sushiswap-loses-up-to-15000-due-to-vulnerability\">lost between $10,000 and $15,000<\/a> due to a vulnerability.<\/p>\n<p>Subscribe to ForkLog news on the <a href=\"https:\/\/www.facebook.com\/forklog\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Facebook<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On February 5, the yEarn.Finance team discovered and fixed a vulnerability in the v1 yDAI pool. An unknown attacker managed to withdraw part of the funds.<\/p>\n","protected":false},"author":1,"featured_media":35894,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1154,1093,1869],"class_list":["post-35893","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-crimes","tag-defi","tag-yearn-finance"],"aioseo_notices":[],"amp_enabled":true,"views":"37","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/35893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=35893"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/35893\/revisions"}],"predecessor-version":[{"id":35895,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/35893\/revisions\/35895"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/35894"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=35893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=35893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=35893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}