Decentralized finance (DeFi) yield aggregator yearn.finance (YFI) reveals the details of a hacking incident that caused a total loss of $11 million to the network.
According to Yearn’s vulnerability disclosure posted on GitHub Thursday, yearn.finance creator Andre Cronje noticed odd patterns in a contract interacting with the platform’s vaults at 21:45 UTC on February 4th.
Upon further examination, the complex and concerning transaction turned out to be an active exploit of the v1 yDAI vault.
Yearn says the attacker caused the compromised vault to deposit and withdraw funds from the automated market maker (AMM) Curve’s 3pool at unfavorable rates.
“At a high level, the exploiter was able to profit through the following steps:
Debalance the exchange rate between stablecoins in Curve’s 3CRV pool.
Make the yDAI vault deposit into the pool at an unfavorable exchange rate.
Reverse the imbalance caused in step 1.”
The security team mitigated the exploit in 11 minutes. Yearn says the quick response saved 24 million of the vault’s 35 million DAI under management.
Despite the team’s quick work, yearn.finance developer banteg says the attacker managed to get away with some deposited funds in the pool.
As for the cause of the attack, yearn.finance reports that a confluence of three factors led to the vulnerability.
“[First], the hacked vault’s slippage protection was set too loose at 1%. [Second], the normal 0.5% withdrawal fee was set to 0%, to encourage migrations to v2 vaults without incurring costs. [And third], this being a v1 vault, the exploiter was able to call earn() and push deposits into the vault’s strategy at will.”
Don't Miss a Beat – Subscribe to get email alerts delivered directly to your inboxFeatured Image: Shutterstock/Tithi Luadthong