DeFi yield aggregator protocol Yearn.finance (YFI) lost US$11 million on a recent cyberattack where an unidentified hacker profited US$2 million. The hacker took advantage of YFI’s flash loan feature that allows users to borrow and repay funds in rapid succession without the need for collateral.
In a tweet last February 5, YFI reported the yDAI vault had suffered an exploit which was already mitigated. The unknown entity stole US$2.7 million worth of DAI after taking a series of flash loans from crypto lending programs dYdX and Aave. Afterwards, they used the funds as collateral to loan on another lending program Compound.
The yield aggregator company disclosed the details of the attack on Github. It revealed that the attacker created an imbalance between USDT, USDC and DAI pools by depositing US$134 million worth of USDC and 36 million worth of DAI to Curve 3pool and withdrawing US$165 million worth of USDT.
Moreover, the attacker generated profit from the unusually low exchange rate between the three assets by repeatedly making small deposits and withdrawals. In the final transaction, the exploiter redeemed the 3CRV shares and withdrew US$39.4 million worth of DAI which is US$2 million more than the initial deposit.
Following the attack, YFI compensated all affected users by opening a Maker vault from its newly expanded treasury. They minted 9.7 million DAI tokens from the vault and distributed them to users whose funds were lost due to the attack.
YFI announced the compensation in a tweet, saying, ‘It was done as a one-off celebration of going through this DeFi rite of passage. Don’t count on it happening again’. The right of passage pertains to the rising trend of DeFi projects suffering from cyberattacks.
The attack on YFI posed as the latest exploits on the decentralized finance (DeFi) sector which has lost over US$100 million in the past year due to cyberattacks. All DeFi attacks accounted for 20% of all crimes in the crypto sector in 2020. Companies offering flash loans suffered large losses, especially the Harvest Finance platform that lost US$25 million in October.
Following the cyberattack, the YFI coin dropped 12% from US$34,700 to US$30,500. It has recovered since and currently sits at US$41,829.
Be in the know with the latest cryptocurrency news and updates here at CryptoShimbun.