Yearn Finance DAI Vault ‘Has Suffered an Exploit’; $11M Drained

victoria-kure-wu-Hz4E3vJCJrg-unsplash
4 February 2021

UPDATE (Feb. 5, 15:41 UTC): Yearn published a detailed post-mortem about the exploit on Friday morning. Further, Tether announced the freeze of $1.7 million in USDT involved in the attack, according to Tether CTO Paolo Ardoino.

Yearn Finance has suffered an exploit in one of its DAI lending pools, according to the decentralized finance (DeFi) protocol’s official Twitter account

At 5:14 p.m. ET, banteg, from the Yearn team, posted in Discord: “Attacker got away with 2.8m, dai vault lost 11.1m.”

An Aave flash loan was used to trigger the vault draining, according to an Ethereum address presumed to be associated with the exploit.

Yearn Finance is one of the leading venues in DeFi, known for always enabling depositors to recoup all their yield in the token they initially deposited. The platform recently updated to a new suite of vaults, but like any smart contract platform, the prior smart contracts persisted. According to DeFi Pulse, Yearn currently has $500 million worth of assets entrusted to it. Even on version 1, many of its pools earn annual yields of well over 20%.

Users in the Yearn Discord and Telegram channels began reporting drains Thursday afternoon. At 4:38 p.m. ET in the Yearn Discord server, Jeffrey Bongos wrote, “Anyone know why v1Dai vault is showing that I’ve lost thousands of Dai in the last few minutes?”

At a little after 5 p.m. ET, the front end of the v1 DAI vault on the Yearn website showed a loss of 1059%.

Yearn’s YFI governance token had a price drop of $4,000 on the news. Just after the attack became public, the UniWhales Twitter account reported a large sale of YFI for ETH:

The vault attacked was Yearn’s v1 DAI vault, which updated to a new investment strategy last month, according to a blog post published by the Yearn team on Jan. 23.

The vault’s strategy at the time of the attack was to deposit all funds into the “3pool” on the automated market maker (AMM) Curve. Curve’s 3pool contains DAI, USDT and USDC, allowing users to swap any of the stablecoins for another at very low slippage.

“In a nutshell, someone deposited a bunch to Curve 3pool to manipulate DAI price given by the pool,” Curve CEO Michael Egorov told CoinDesk. “Vault somehow was relying on the DAI price given by this pool. Then the contract withdrew after the attack. And repeated many times taking flash-borrowed funds.”

Egorov added:

"That's a well known issue (one could have it with Uniswap, too, however, Uniswap is not so popular for yield farming). I've expressed my thoughts to Yearn team how this could have been prevented (and similar vulnerabilities, too). But honestly, didn't expect them to have such a mistake in the code, that was a surprise to me."

UPDATE (Feb. 5, 2:41 UTC): Adds comments from Curve CEO Michael Egorov.

Disclosure
The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.