Main navigation

Yearn.Finance (YFI) Targeted by "Flash Loan" Attack, $11,000,000 Drained

Advertisement
Fri, 5/02/2021 - 12:04
Yearn.Finance (YFI) Targeted by "Flash Loan" Attack, $11,000,000 Drained
Cover image via stock.adobe.com
Read U.TODAY on
Google News
Advertisement

One of the most popular decentralized financial protocols, Yearn.Finance (YFI) launched by Andre Cronje, suffered an exploit: an attacker escaped with $2.8 million. According to the initial results of third-party investigations, the mysterious hacker utilized five separate DeFi protocols to perform such a sophisticated attack.

Yet another "flash loan" attack results in $2.8 million lost

Today, Feb. 5, 2021, it became known that Yearn.Finance (YFI) protocol was attacked through a "flash loan" exploit. The malefactors drained $11 million from a DAI vault and grabbed $2.8 mln in DAI and USDT stablecoins. The Yearn.Finance (YFI) team promptly confirmed that the attack occurred and began an investigation.

Article image
Image via Twitter

According to an anonymous developer who goes by @bantg on Twitter, the attack was mitigated successfully in about 10 minutes. If not for such a quick response, the attack could have been far more devastating:

The fast reaction has reduced the damage from $35m to $11m.

Advertisement

The first comprehensive analysis of what had happened was reported by the Peckshield cybersecurity team. They found that the attacker used a "forced investment" instrument to inject liquidity into a strategy that was not profitable at the moment.

Thus, the design flaw allowed the malefactor to perform a "flash loan attack" that involved dYdX, Aave Protocol (AAVE), Compound Finance (COMP), Curve Protocol (CRV) and Yearn.Finance (YFI) itself.

Article image
Image via Medium

Also, the malefactor eluded the enforced slippage control, a security mechanism that protects the system from such exploits. He/she repeated some of the steps of the hack to prevent the entire attack from being reversed.

YFI price collapses 11 percent in minutes

Immediately upon the disclosure of the attack, the Yearn.Finance (YFI) team disabled deposits for four vaults, i.e., DAI, TUSD, USDC and USDT pools.

At press time, the attacker's wallet still holds more than $2.2 million. He/she utilized the Tornado Cash mixer to obfuscate some transactions with stolen funds.

The price of YFI, a governance asset of Yearn.Finance (YFI) protocol, collapsed immediately after the first messages about the attack.

Article image
Image by CoinGecko

In less than 50 minutes, the YFI price lost about $4,000/YFI and touched the $30,600 level.

Related articles

Advertisement
TopCryptoNewsinYourMailbox
TopCryptoNewsinYourMailbox
Advertisement
Advertisement

Recommended articles

Latest Press Releases

Our social media
There's a lot to see there, too

Popular articles

Advertisement
AD