On Feb 4, 2020, top DeFi protocol Yearn Finance (YFI) reported that it had been exploited by a hacker to the tune of $11M. The malicious attacker drained the funds from one of the DAI lending pools, as per a report from the DeFi platform’s Twitter account.
Details have now emerged that the hack targeted Yearn’s v1 DAI vault, which updated to a new investment strategy last month. At the time of the breach, the vault’s strategy was to deposit all user funds into the “3pool” on Curve’s automated market marker.
Curve’s 3pool contains USDT, DAI, and USDC, enabling YFI users to swap between these stablecoins at very low slippage. Unfortunately, the attacker managed to find a mistake in the code that allowed him to trigger an Aave flash loan and drain the lending pool.
According to Stani Kulechov, founder of DeFi protocol Aave, the transaction at the core of the YFI exploit was very complex. It involved multiple DeFi protocols and over 160 nested transactions that spent approximately $5,000 in ETH gas fees.
All deposits to the V1 DAI, USDC, USDT, and TUSD vaults have been suspended while investigations into the exploit take place.
More On the Yearn Finance Protocol Exploit
Yield farmers on YFI started noticing anomalies with the targeted pool yesterday at around 4:38 p.m. ET. Yearn Discord and Telegram channel users quickly raised the alarm that the v1Dai vault was losing thousands of DAI tokens in a very short period.
Their fears were confirmed less than an hour later when the v1 DAI vault’s front end started showing a massive loss of 1059%.The Yearn .Finance Twitter official page then confirmed the incident, explaining that the dev team had successfully mitigated the attack.
Banteg, one of the leading Yearn finance core developers, later posted on the Yearn Discord that the attacker got away with $2.8M in crypto while the vault lost $11M.
Nevertheless, the unknown hacker couldn’t cash in on the lion’s share of his loot. According to Banteg, the attacker made away with 513,000 DAI and $1.7M USDT, which translated into profits of $2.8M. The rest of the drained funds were in the form of CRV tokens.
In the end, about $3M from the heist ended up with Curve liquidity providers, meaning that ordinary DeFi users received more funds from the YFI exploit than its mastermind.
YFI Price and TVL Remains Stable
Shortly after news of the YFI exploit started circulating on social media, the YFI governance token crashed from $35K to a low of $29,600. The plunge was likely a result of whales swapping a massive amount of YFI for ETH, an event that was flagged by the UniWhales Twitter account just after the attack.
Despite this panic selling, the YFI token price quickly rebounded back above $30K and has remained stable ever since. Yearn’s total value locked (TVL) has also remained relatively steady, dropping just 4% from $526M to $507M.