One of the most popular decentralized financial protocols, Yearn.Finance (YFI) launched by Andre Cronje, suffered an exploit: an attacker escaped with $2.8 million. According to the initial results of third-party investigations, the mysterious hacker utilized five separate DeFi protocols to perform such a sophisticated attack.
Yet another "flash loan" attack results in $2.8 million lost
Today, Feb. 5, 2021, it became known that Yearn.Finance (YFI) protocol was attacked through a "flash loan" exploit. The malefactors drained $11 million from a DAI vault and grabbed $2.8 mln in DAI and USDT stablecoins. The Yearn.Finance (YFI) team promptly confirmed that the attack occurred and began an investigation.
According to an anonymous developer who goes by @bantg on Twitter, the attack was mitigated successfully in about 10 minutes. If not for such a quick response, the attack could have been far more devastating:
The fast reaction has reduced the damage from $35m to $11m.
The first comprehensive analysis of what had happened was reported by the Peckshield cybersecurity team. They found that the attacker used a "forced investment" instrument to inject liquidity into a strategy that was not profitable at the moment.
Thus, the design flaw allowed the malefactor to perform a "flash loan attack" that involved dYdX, Aave Protocol (AAVE), Compound Finance (COMP), Curve Protocol (CRV) and Yearn.Finance (YFI) itself.
Also, the malefactor eluded the enforced slippage control, a security mechanism that protects the system from such exploits. He/she repeated some of the steps of the hack to prevent the entire attack from being reversed.
YFI price collapses 11 percent in minutes
Immediately upon the disclosure of the attack, the Yearn.Finance (YFI) team disabled deposits for four vaults, i.e., DAI, TUSD, USDC and USDT pools.
At press time, the attacker's wallet still holds more than $2.2 million. He/she utilized the Tornado Cash mixer to obfuscate some transactions with stolen funds.
The price of YFI, a governance asset of Yearn.Finance (YFI) protocol, collapsed immediately after the first messages about the attack.
In less than 50 minutes, the YFI price lost about $4,000/YFI and touched the $30,600 level.