How $150m in Ethereum & DAI was used to steal $7m from a Yearn.finance competitor
It may seem like a broken record at this point but yet another decentralized finance (DeFi) protocol was recently exploited.
And, once again, the exploit took place on a competitor of Yearn.finance (YFI).
Here’s more about what happened, and what DeFi users can do to prevent their funds from being attacked moving forward.
Yearn.finance fork ValueDeFi hacked for $7 million
In August and September, forking Yearn.finance was all the rage. Yearn.finance had rapidly become the crypto industry’s darling, with $1 billion in deposits and its native token YFI sporting a matching $1 billion market capitalization.
Forks upon forks were released.
One fork that gained traction was YF Value (YFV), which, like Yearn.finance, was marketed as a place for users to deposit cryptocurrencies and earn a steady and safe return. While extremely similar in concept to Yearn.finance, the marketing strategy worked: at its peak in early September, YFV had a market capitalization just shy of $150 million.
Unfortunately, YFV isn’t as safe as first thought.
On Saturday morning, users began to take notice of a large Ethereum transaction that involved Aave, Curve, Uniswap, and YF Value (now known as Value DeFi).
In that transaction, a user had withdrawn 80,000 ETH from Aave in a flash loan, along with another $116 million in DAI from Uniswap.
Those funds were subsequently traded to manipulate the price of stablecoins on Curve. This manipulation meant that the attacker was able to obtain Value deposit tokens worth more than the actual value of the stablecoins that underlie those tokens.
In total, $7.5 million worth of DAI was drained from Value, though $2 million was returned to the protocol by the pseudonymous attacker.
Although unfortunate for depositors, literal hours before the attack, Value called itself the “most secured and advanced piece of technology in the DeFi space,” claiming its developers accounted for well-known flaws in Ethereum smart contracts.
13 Hours Ago:
– Value DeFi calls itself “the most secured and advanced piece of technology in the DeFi space”
10 Hours Later:
– Flash loan attacked for $7 million pic.twitter.com/yYbWuYBX03
— Spencer Noon (@spencernoon) November 14, 2020
The exploit of Value comes after similar attacks took place with Akropolis and with Harvest Finance.
Avoiding protocols with bad oracle integration
At the core of many of these exploits and potential attack vectors are the lack of proper oracle integrations. An oracle is software that supplies data outside a system to that system; in DeFi, oracles are most often used by protocols that need to know the price of a cryptocurrency.
“Honest” oracles use a variety of metrics, such as using an index or taking a snapshot, to mitigate the risk of price manipulation attacks.
The protocols that were exploited by flash loan attacks did not use properly integrate oracles, allowing the inter-block prices of stablecoins to be manipulated to the advantage of exploiters.