Yearn’s YFI Drops Following a USD 11M-Heavy Exploit (UPDATED)

DeFi Hack Market Security
Last updated:
Journalist
Journalist
Sead Fadilpašić
Author Categories
About Author

Sead specializes in writing factual and informative articles to help the public navigate the ever-changing world of crypto. He has extensive experience in the blockchain industry, where he has served...

Last updated:
Why Trust Cryptonews
Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas - from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

Decentralized finance (DeFi) protocol yearn.finance‘s YFI dropped more than USD 4,000 after one of its DAI lending pools was drained of USD 11m in an exploit. (Updated at 15:48 UTC with Yearn’s vulerability disclosure, Paolo Ardoino’s tweet, the lates price data.)

Source: Adobe/Negro Elkha

Yearn’s YFI governance token saw an abrupt USD 4,190 drop last night. Though the price has increased somewhat, it’s still lower than yesterday’s levels. YFI is currently (15:47 UTC) trading at USD 32,671. It dropped 2.7% in the past 24 hours, while it’s still green in a week, appreciating 10%.

Following the attack, UniWhales DAO account started reporting large sales of YFI for ETH.

According to DeFi Pulse, Yearn’s total value locked saw a 3.5% drop since yesterday – from USD 507.8m to the current USD 490.5m.

“We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow,” wrote yearn.finance in their tweet last night.

Per a post from Yearn’s core developer, banteg, the attacker took USD 2.8m, while the vault lost USD 11m.

Several hours later, Banteg shared a vulnerability disclosure, which confirmed that the DAI 11m of vault deposits were lost. Meanwhile, the exploiter got away with an estimated DAI 2.7m profit – they profited by “holding a portion of the Curve 3pool during the attack, and withdrawing to a combination of USDT, DAI, and ETH,” wrote the team, adding that,

“Acting in roughly 11 minutes, Yearn’s security team and multi-sig wallet signers were able to stop the exploit while it was underway, saving 24m DAI out of the vault’s total 35m DAI deposits.”

According to yearn.finance, the exploit was done in the following steps:

  1. debalance the exchange rate between stablecoins in Curve’s 3CRV pool;
  2. make the yDAI vault deposit into the pool at an unfavorable exchange rate;
  3. reverse the imbalance caused in step 1;
  4. repeate this pattern in a series of 11 transactions executed over 38 minutes before being mitigated.

The report stated that “deposits into the strategy were effectively disabled, preventing further exploits from taking place.”

Meanwhile, stolen USDT 1.7m have been frozen, announced Tether Chief Technology Officer Paolo Ardoino.

As soon as the attack became public, some commenters thought that they might have identified the Ethereum (ETH) address in question, per which the vault was drained by using an AAVE flash loan.

Aave founder and CEO Stani Kulechov described this as a “complex exploit with over 160 nested transactions transactions and 8,6 mm gas used (around 75% of the block) resulted to 2.7 mm USD loss.”

Furthermore, according to investor Julien Thevenard, liquidity providers on lending platform Curve Finance received over 3m of the stolen funds.

While Curve Finance didn’t comment on that, they said the Yearn team’s reaction to the incident was “impressive.”

This is far from the only exploit targeting DeFi platforms in the past year. Just recently, an exploit has been reportedly discovered on DeFi protocol yCredit launched by Yearn Finance Founder Andre Cronje. He did, however, warn that yCredit is experimental and can be “economically exploited.”

And millions were lost in multiple attacks last year, such as those on Value DeFi, bzx, Balancer, Akropolis, Harvest Finance, and others.

Meanwhile, CipherTrace, a crypto intelligence firm, recently said that DeFi-related crime is on the rise, and claimed that fraud still accounted for a whopping 73% of all crypto crime.

At the end of last year, industry insiders predicted that attacks on DeFi platforms and protocols — particularly new ones — will rise in 2021.
____
Learn more:
‘DeFi Will Eat JPMorgan’ But There Are Risks Before That Meal
A Reddit Army Blurs The Line Between Crypto and Traditional Finance
DeFi Trends to Watch Out For in 2021 According to ConsenSys and Kraken
DeFi ‘Genie Is Out’ and Is Set For Growth in 2021
Yield Farming-boosted DeFi Set For New Fields With Old Challenges in 2021
If Traditional Finance Moves to CBDCs, 2 Scenarios Open for DeFi – INDX CEO
Crypto Exchanges to Spend 2021 Focusing on DeFi, UX, and New Services
DeFi Industry Ponders Strategy as Regulators Begin to Circle
Crypto Security in 2021: More Threats Against DeFi and Individual Users
The DeFi Sector Is Breaking The Law – It’s Time to Act
Top 4 Risks DeFi Investors Face
‘If DeFi Collapsed, Bitcoin Would Still Be Bitcoin’
New Regulatory Lemons Await Somewhere Between DeFi & CeFi

More Articles

Press Releases
Wall Street Pepe Sells Out WEPE Tokens Early, Raising Over $73M – Listing Imminent
2025-02-10 19:51:37
Blockchain News
Deutsche Digital Assets Expands European Presence with New Paris Office
Tanzeel Akhtar
Tanzeel Akhtar
2025-02-10 19:45:42
Crypto News in numbers
editors
Authors List + 66 More
2M+
Active Monthly Users Around the World
250+
Guides and Reviews Articles
8
Years on the Market
70
International Team Authors