Main navigation

Yearn.Finance (YFI) Targeted by "Flash Loan" Attack, $11,000,000 Drained

Fri, 02/05/2021 - 12:04
article image
Vladislav Sopov
Popular "yield farming" aggregator Yearn.Finance (YFI) suffered an exploit that resulted in flash-crash of YFI price and multi-million dollar losses
Yearn.Finance (YFI) Targeted by "Flash Loan" Attack, $11,000,000 Drained
Cover image via
Read U.TODAY on
Google News

One of the most popular decentralized financial protocols, Yearn.Finance (YFI) launched by Andre Cronje, suffered an exploit: an attacker escaped with $2.8 million. According to the initial results of third-party investigations, the mysterious hacker utilized five separate DeFi protocols to perform such a sophisticated attack.

Yet another "flash loan" attack results in $2.8 million lost

Today, Feb. 5, 2021, it became known that Yearn.Finance (YFI) protocol was attacked through a "flash loan" exploit. The malefactors drained $11 million from a DAI vault and grabbed $2.8 mln in DAI and USDT stablecoins. The Yearn.Finance (YFI) team promptly confirmed that the attack occurred and began an investigation.

Yearn.Finance (YFI) confirms $11M attack
Image via Twitter

According to an anonymous developer who goes by @bantg on Twitter, the attack was mitigated successfully in about 10 minutes. If not for such a quick response, the attack could have been far more devastating:

The fast reaction has reduced the damage from $35m to $11m.

The first comprehensive analysis of what had happened was reported by the Peckshield cybersecurity team. They found that the attacker used a "forced investment" instrument to inject liquidity into a strategy that was not profitable at the moment.

Thus, the design flaw allowed the malefactor to perform a "flash loan attack" that involved dYdX, Aave Protocol (AAVE), Compound Finance (COMP), Curve Protocol (CRV) and Yearn.Finance (YFI) itself.

Peckshield experts unveil the design of recent attack
Image via Medium

Also, the malefactor eluded the enforced slippage control, a security mechanism that protects the system from such exploits. He/she repeated some of the steps of the hack to prevent the entire attack from being reversed.

YFI price collapses 11 percent in minutes

Immediately upon the disclosure of the attack, the Yearn.Finance (YFI) team disabled deposits for four vaults, i.e., DAI, TUSD, USDC and USDT pools.

At press time, the attacker's wallet still holds more than $2.2 million. He/she utilized the Tornado Cash mixer to obfuscate some transactions with stolen funds.

The price of YFI, a governance asset of Yearn.Finance (YFI) protocol, collapsed immediately after the first messages about the attack.

YFI price plummets 11 % in an hour
Image by CoinGecko

In less than 50 minutes, the YFI price lost about $4,000/YFI and touched the $30,600 level.

article image
About the author

Blockchain Analyst & Writer with scientific background. 6+ years in IT-analytics, 3+ years in blockchain.

Worked in independent analysis as well as in start-ups (, Monoreto, Attic Lab etc.)