Yearn Finance, the yield aggregation protocol founded by Andre Cronje, has been hacked. One of the platform’s so-called vaults lost $11M, and the attacker got away with $2.8M.
It’s the first DeFi hack of the year, after $100M worth of attacks in the sector last year, according to a report by Ciphertrace. About half of the exploits, including this one from Yearn, have used flash loans (loans which don’t require collateral as long as they’re returned on the same block).
While the Yearn team has yet to release a postmortem, the attack’s nature could be categorized as an arbitrage. The hacker used a flash loan to borrow millions in crypto assets, use those assets as collateral to borrow more crypto, then repeatedly deposited those borrowed assets in a Yearn pool. The exploit consisted in manipulating the Dai rate in the pool, and benefitting from that rate by exchanging the liquidity provider tokens earned for stablecoins.
Most if not all DeFi attacks involve complex financial engineering, manipulating token prices, or liquidity in token pools, to get crypto at extremely favorable rates. It highlights the need for code in DeFi protocols to be ironclad, which is often far from reality. These projects are sometimes hacked together over the weekend and released without formal audits or tests —a “test in prod” strategy which has been championed by Yearn’s founder himself.
Step by Step
Here’s how it went down.
The attacker used flash loans to borrow 116K Ether from margin trading platform dYdX, and 99K from lending platform, Aave.
They were then able to use 215K ETH, worth ~$342M, as collateral to borrow 134M USDC and 129M DAI from lending platform, Compound Finance.
The attacker then added all of the borrowed USDC and 36M of the borrowed DAI to Curve Finance’s 3-token USDC/DAI/USDT pool. They then withdrew 165M USDT from the Curve pool.
Then the attacker repeated the strategy of depositing the remaining 93M DAI, borrowed from Compound into Yearn’s yDAI vault, adding the 165M USDT back into the Curve 3-token stablecoin pool (3pool), withdraw 92M DAI from the yDAI vault, then withdrawing the 165M USDT again from the Curve pool.
Each time the hacker executed the repeating part of the strategy they gained more Curve’s DAO Token, which they later converted to stablecoins, eventually netting them $2.8M, and losing Yearn’s vault, for whose deposits are now disabled, $11M.
Under the Hood
Key to understanding the exploit is that Yearn’s yDAI vault automatically deposits DAI into Curve’s 3pool, which the attack had already heavily saturated with USDC and DAI. In adding the third asset, USDT, to the pool, DAI is devalued, according to Curve’s protocol mechanics.
After withdrawing the DAI from yDAI, at a small loss due to the devaluation, and also withdrawing the USDT, USDC, and other DAI from the 3pool, the attacker reaps the extra rewards of Curve’s DAO Tokens for providing liquidity during a time when the DAI rate strayed from the pool’s other two assets.
The hack brought sarcastic comments hailing DeFi as “the future of finance,” as well as people questioning open finance’s uncensorable nature considering Yearn deposits were disabled, not entirely different from Robinhood’s limiting of GME stock purchases last week.
Still, others applauded the team’s quick reaction: it took 10 minutes and 14 seconds according to lead developer Banteg to mitigate the issue, a process which needed multiple players due to the multi-sig quorum required to modify the smart contracts.
Not everyone is unhappy either: other liquidity providers who staked on Curve’s 3pool received $3.5M in total.
In response, Tether has frozen the 1.7M USDT stolen in the attack, again casting a shadow on just how decentralized crypto really is.
All eyes now wait for the Yearn team’s postmortem.