Cryptocurrency News

Yearn Finance Suffers $11.1 Mln Hack – Market Update.

Yearn Finance has suffered an exploit in one among its DAI lending pools, consistent with the DeFi [Decentralized Finance] protocol’s official Twitter account announcement.

Within an official update from the Yearn team, tweeted in Discord: “Attacker got away with 2.8 Mln, dai vault lost $11.1 Mln.”

An Aave flash loan was employed to trigger the vault draining, consistent with an Ethereum address presumed to be related to the exploit.

Yearn Finance is one of the leading venues in DeFi, known for always permitting depositors to recoup all their yield within the token they initially deposited. The platform recently updated to a new suite of vaults, but like all smart contract platforms, the prior smart contracts persisted. Consistent with DeFi Pulse, Yearn presently has $500 Mln worth of assets entrusted thereto. Even on version 1, many of its pools earn annual yields of overflow 20%.

Users within the Yearn Discord and Telegram channels began circulating earlier on Thursday afternoon. At 4:38 p.m. ET within the Yearn Discord server, Jeffrey Bongos added, “Anyone knows why v1Dai vault is showing that I’ve lost thousands of Dai within the earlier couple of minutes?”

After 5 p.m. ET, the front of the v1 DAI vault on the Yearn website illustrated a loss of 1059%.

Yearn’s YFI governance token had a price drop of $4k on the news. Just after the attack became public, the UniWhales Twitter account reported an outsized sale of YFI for ETH:

The vault attacked was Yearn’s v1 DAI vault, which updated to a new investment strategy last month, consistent with the official web-blog post revealed by the Yearn team on 23rd Jan.

The vault’s strategy at the time of the attack was to deposit all funds into the “3pool” on the AMM [Automated Market Maker] Curve. Curve’s 3pool consists of DAI, USDT, and USDC, permitting users to swap any of the stablecoins for an additional at very low slippage.

“In a nutshell, someone deposited a bunch to Curve 3pool to control DAI price given by the pool,” Curve CEO Michael Egorov explained. “Vault somehow was counting on the DAI price given by this pool. Then the contract withdrew after the attack. And repeated repeatedly taking flash-borrowed funds.”

Adding further, Egorov explained:

“That’s a documented issue [one could have it with Uniswap, too, however, Uniswap isn’t so popular for yield farming]. I’ve expressed my thoughts to yearn team on how this might have prevented [and similar vulnerabilities, too]. But honestly, didn’t expect them to possess such an error within the code, that was a surprise to me.”

Leave a Comment

Your email address will not be published. Required fields are marked *