No protocol is too big to fail.
The extreme power of flash loans makes blue chips fade to black. An arbitrage attack on the Yearn DAI v1 vault shows that even our most experienced developers can still make mistakes.
The vault was attacked using 9 flash loans. $11 million was lost from the vault, $2.7m of which went to the attacker, $3.5m went to Curve liquidity providers, $3.5m went to Curve stakers, and $1.4m was paid in Aave v2 fees.
DeFi systems are in constant flux. Increasingly intertwined protocols create an infinite machine with countless moving parts.
The development of our industry moves at breakneck speed, and new ideas and potential attack vectors are uncovered everyday.
A constantly changing environment means even time tested products can’t guarantee absolute security.
Falling victim to an arbitrageur must be humiliating for the team who were once seen as unbeatable, but there is no pleasure to be taken from pointing out flaws in the work of developers who create so much value in our field.
The Yearn team have issued their version of a post-mortem, although flashloans are not mentioned.
Igor Igamberdiev gave a more detailed analysis of the attack on Twitter.
- 513k DAI
- 1.7M USDT
- remaining 506k 3CRV (~$1)
The attacker executed 11 transactions.
1/ Flash loaned 116k ETH from dYdX
2/ Flash loaned 99k ETH from Aave v2
3/ Borrow 134M USDC and 129M DAI using ETH as collateral on Compound
4/ Add 134M USDC and 36M DAI to 3crv Curve pool
5/ Withdraw 165M USDT from 3crv Curve pool
6/ Repeat five times
- Deposit 93M DAI to yDAI vault (less w/ each time)
- Add 165M USDT to 3crv pool
- Withdraw 92M DAI from yDAI vault (less w/ each time)
- Withdraw 165M USDT from 3crv pool
7/ In the last time withdraw 39M DAI and 134M USDC instead USDT
8/ Repay Compound debts
9/ Repay flash loans
Each time the attacker had more 3crv tokens, which he was later able to swap for stablecoins.
Attacker contract: https://etherscan.io/address/0x62494b3ed9663334e57f23532155ea0575c487c5Attac
Tornado TX #1
Tornado TX #2
Tornado TX #3
Tornado TX #4
The profit opportunity was created because the withdrawal fee had been turned off for vault migration.
Readers will know there’s nothing new about flash loan attacks, and so will Yearn developers, who are competent enough to have prevented this from happening, suggesting this was just an opportunist taking advantage of a mistake made during the vault migration.
Gossip and drama remains high in the DeFi community; and many considered this attack to be a reprisal for Cronje’s earlier accusations of hypocrisy against Julien Bouteloup; one of the contributors to Stake DAO.
Although many of our readers (and your anonymous author) would secretly enjoy watching such a battle between the two developers, these accusations were proven to be false as the attackers account was funded and the contract written hours before this criticism was made.
As two of the most prominent developers in our industry, there is bound to be some competition. Passion for their work and the responsibility of tying your reputation to code housing hundreds of millions of dollars puts working relationships under huge amounts of stress.
It’s also worth remembering that not all of our best developers are on Twitter.
If a DeFi protocol receives refunds from a centralised company, at what point does it stop being DeFi?
Tether has frozen 1.7M USDT that was stolen during the hack. In the past, Tether has reimbursed users who mistakenly lost money by sending tokens to the contract address.
If Tether burns these stolen tokens and mints the equivalent in order to return the funds to Yearn, then they are no different to any central bank.
Yearn developer @fubuloubu has spoken out against the use of Tether in the past, but seems to have changed his mind after their intervention.
We all love decentralisation when it brings us profit, but refunds are best served centralised.
This attack went straight to the heart of one of the biggest DeFi conglomerates, shaking the foundations of what was once seen as an impenetrable fortress.
Even the best in the business make mistakes, but this should not deter us from encouraging them to build.
When tensions are high and DeFi teams begin to take sides against one another, we would all do well to zoom out and look at the bigger picture.
Eventually we will look back on this period with nothing but respect for all those who shared the vision at such an early stage
Last night, the first crack appeared in Yearn’s armour. Will their mistake make the community lose their faith, or can we all rally behind this giant of DeFi, and help them to grow even stronger?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
Donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
You might also like...
Attacks can happen at any time, but the weekends are always busiest. Social tokens haven’t taken off yet, but that doesn’t mean Roll didn’t get rekt. $5.7 million gone, and still no word from the Roll team.
Is it dead or has it just gone to bed? DODO was hacked for $2 million using a fake token attack, but the motive remains unclear. One thing’s for sure, whether hat white or black - only $2 million? Must try harder.
Willy Wonka returns with the infinite mint, creating 59,471,745.571 PAID tokens before dumping them onto the unsuspecting Oompa Loompas who were providing liquidity to the PAID/ETH pair on Uniswap.