Yearn.finance developers discovered a vulnerability in Robo Vault’s yield farming smart contract, which could have cost it around $50 million. The team has assured users that their funds are safe.
We’ve written up a postmortem on the vulnerability discovered in our vaults last week along with our next steps : https://t.co/GlQOmOkt9W
Once again full credit to @FP_Crypto & the @iearnfinance team for all their help in ensuring that no funds were lost.
— RoboVault (@robo_vault) October 27, 2021
The exploit discovered last week involved using instant loans to manipulate asset prices in the project’s liquidity pools. Robo Vault explained that a potential attacker could undertake the following steps:
- take a large instant loan;
- swap the proceeds to significantly reduce the vault’s total value;
- deposit assets into the vault, whose share price is now depressed;
- perform a reverse swap to increase the vault’s value as well as its share price;
- withdraw the funds and repay the loan.
The project team said it had “immediately taken a number of steps to safeguard users’ funds.” In particular, management moved assets to a reserve fund and disabled deposits.
As of writing, Robo Vault is unavailable to users. The developers are still examining the issue and working on possible solutions. According to them, the new vault version will use the Yearns V2 architecture without any changes.
“Though our vaults were already using much of this architecture, we have made some changes to simplify a number of things that, along with some misguided decisions, led to the potential exploit”, — explained the developers.
The updated vaults will launch “in the next two weeks.” Their codebase will first be audited by experts who “have experience working with liquidity pools vulnerable to attacks using instant loans.”
Earlier on October 27, the attacker withdrew from pools DeFi-protocol Cream Finance $130 million using an instant loan.
Subscribe to ForkLog news on VK.