News
DeFi darling Yearn.finance (YFI) deployed a new token—then $15m was stolen DeFi darling Yearn.finance (YFI) deployed a new token—then $15m was stolen
🚨 This article is 4 years old...

DeFi darling Yearn.finance (YFI) deployed a new token—then $15m was stolen

Receive, Manage & Grow Your Crypto Investments With Brighty

It’s been yet another crazy day for the decentralized finance (DeFi) ecosystem. If you’ve been on Twitter, you likely know of a new Ethereum project called Eminence and the subsequent $15 million hack.

Here’s a brief recap of what happened for those not yet in the know.

The launch(?)

24 hours ago as of this article’s writing, Andre Cronje, the founder of top Ethereum protocol Yearn.finance (YFI), deployed a series of new contracts pertaining to a project called Eminence.

There was no official announcement or website, only the tweet seen below, which seems to reference the title given to fans of the Synthetix protocol, spartans (as in, this is Sparta spartans). Cronje retweeted the account, suggesting it was somehow related to him and Yearn.finance.

People scrambled to figure out what was going on.

Quickly, people on Twitter and on other social media platforms found that the Yearn.finance Deployer address on Ethereum, meaning Andre, had deployed a series of contracts on the blockchain.

The contracts pertained to new tokens, including Eminence (EMN), GIL (GP), and a series of “eTokens” that represented different coins like YFI, AAVE, SNX, and CRV DAO Token.

While nobody knew what the tokens were for, many were quick to FOMO into the contracts as many thought this was the launch of something big for the Yearn.finance project.

The main Eminence address, which was the entry point for the whole ecosystem began to rack up deposits.

The FOMO

The first few hours went quietly, with only those in the know siphoning capital into these smart contracts.

But around 4-5 hours after the contracts were deployed, an inflection point was reached where top accounts on Twitter were tweeting about EMN.

Simultaneously, users were getting acclimated with how to use the complicated smart contracts and the bonding curves, through which the tokens were released. And so they FOMOed in.

In the span of an hour or two, the value locked in the EMN contract went from $3 million to $12 million as FOMO spread across the community.

Andrew Kang, founder of Mechanism Capital, remarked on the absurdity of the FOMO:

“People are sending millions of dollars to a smart contract for a token of a project we have no other information of besides a logo. There’s not even a live website so you need to buy by calling the contract.”

The hack

Shortly after Kang’s tweet, maybe around two hours later, it quickly became clear that something was wrong: the $15 million worth of the DAI stablecoin that was deposited in the contract was suddenly sent to another address in a suspicious transaction.

As can be seen below, the transaction saw a series of in-block transactions that allowed the user to mint millions upon millions of EMN tokens and a sub-token, Eminence AAVE (eAAVE).

The transaction, along with two others done in succession, allowed the user to drain $15m worth of DAI from the pool to their own address.

Sources I spoke to quickly figured out what happened: there was a bug in the bonding curve of the contracts that allowed a user to buy tokens up the curve, where the curve got extremely steep due to a bug, then sell it on those that bought before them.

Since the user was using a “flash loan,” where one can borrow coins for a single block, he was able to buy up the bugged curve many times before dumping the coins on the users, thus getting the DAI in the pool.

After three minutes, $15 million in DAI was sitting in a user’s account.

But in a fascinating turn of events, $8 million was sent back to Andre, leaving many scratching their heads as to what was going on.

The fallout

After two hours of confusion, madness, and denial, Cronje revealed what had happened:

Basically, he deployed the contracts to stage the new Ethereum-based game Eminence, which he claims is still over three weeks away. The contracts were not finalized, but he deployed them anyway because he “tests in production.”

Of course, users found the contracts, and the rest is history. Cronje added that he is looking to return the $8 million he got from the hacker somehow, but it’s unclear how that will happen right now.

The community is divided over what this means for the ethos of “test in prod,” Andre, and the rest of the DeFi space.

Some are upset that he doesn’t test his contracts on a testnet; others think it is the fault of those that put in money as there was no proper front-end or announcement.

Mentioned in this article