🏴☠️ 2021's First Major DeFi Hack Explained
Yearn Finance lost $11M.
Hello Defiers! We’re pushing the podcast episode for tomorrow to cover DeFi’s first hack of the year. It’s a big one as one of the sector’s most popular protocols was the victim. The latest on the Yearn Finance exploit below.
📺 Check out the latest Defiant Weekly video on how to earn passive income with DeFi, and subscribe to our channel!
The open economy is taking over the old one. Subscribe to keep up with this revolution. Click here to pay with DAI (for $100/yr) or sub with fiat by clicking on the button below ($10/mo, $100/yr).
🙌 Together with Zerion, a simple interface to access and use decentralized finance. Ledger, a hardware wallet combined with the Ledger application to securely buy, sell, exchange, stake, lend & manage your crypto, Kraken, consistently rated the best and most secure cryptocurrency exchange, which can get you from fiat to DeFi, and Casper, an enterprise-focused blockchain which aims to introduces unprecedented security, speed and scale for businesses.
Yearn Finance, the yield aggregation protocol founded by Andre Cronje, has been hacked. One of the platform’s so-called vaults lost $11M, and the attacker got away with $2.8M.
It’s the first DeFi hack of the year, after $100M worth of attacks in the sector last year, according to a report by Ciphertrace. About half of the exploits, including this one from Yearn, have used flash loans (loans which don’t require collateral as long as they’re returned on the same block).
While the Yearn team has yet to release a postmortem, the attack’s nature could be categorized as an arbitrage. The hacker used a flash loan to borrow millions in crypto assets, use those assets as collateral to borrow more crypto, then repeatedly deposited those borrowed assets in a Yearn pool. The exploit consisted in manipulating the Dai rate in the pool, and benefitting from that rate by exchanging the liquidity provider tokens earned for stablecoins.
Most if not all DeFi attacks involve complex financial engineering, manipulating token prices, or liquidity in token pools, to get crypto at extremely favorable rates. It highlights the need for code in DeFi protocols to be ironclad, which is often far from reality. These projects are sometimes hacked together over the weekend and released without formal audits or tests —a “test in prod” strategy which has been championed by Yearn’s founder himself.
Step by Step
Here’s how it went down.
The attacker used flash loans to borrow 116K Ether from margin trading platform dYdX, and 99K from lending platform, Aave.
They were then able to use 215K ETH, worth ~$342M, as collateral to borrow 134M USDC and 129M DAI from lending platform, Compound Finance.
The attacker then added all of the borrowed USDC and 36M of the borrowed DAI to Curve Finance’s 3-token USDC/DAI/USDT pool. They then withdrew 165M USDT from the Curve pool.
Then the attacker repeated the strategy of depositing the remaining 93M DAI, borrowed from Compound into Yearn’s yDAI vault, adding the 165M USDT back into the Curve 3-token stablecoin pool (3pool), withdraw 92M DAI from the yDAI vault, then withdrawing the 165M USDT again from the Curve pool.
Each time the hacker executed the repeating part of the strategy they gained more Curve’s DAO Token, which they later converted to stablecoins, eventually netting them $2.8M, and losing Yearn’s vault, for whose deposits are now disabled, $11M.
Under the Hood
Key to understanding the exploit is that Yearn’s yDAI vault automatically deposits DAI into Curve’s 3pool, which the attack had already heavily saturated with USDC and DAI. In adding the third asset, USDT, to the pool, DAI is devalued, according to Curve’s protocol mechanics.
After withdrawing the DAI from yDAI, at a small loss due to the devaluation, and also withdrawing the USDT, USDC, and other DAI from the 3pool, the attacker reaps the extra rewards of Curve’s DAO Tokens for providing liquidity during a time when the DAI rate strayed from the pool's other two assets.
The hack brought sarcastic comments hailing DeFi as “the future of finance,” as well as people questioning open finance’s uncensorable nature considering Yearn deposits were disabled, not entirely different from Robinhood’s limiting of GME stock purchases last week.
Still, others applauded the team’s quick reaction: it took 10 minutes and 14 seconds according to lead developer Banteg to mitigate the issue, a process which needed multiple players due to the multi-sig quorum required to modify the smart contracts.
Not everyone is unhappy either: other liquidity providers who staked on Curve’s 3pool received $3.5M in total.
In response, Tether has frozen the 1.7M USDT stolen in the attack, again casting a shadow on just how decentralized crypto really is.
All eyes now wait for the Yearn team’s postmortem.
✊ Head to THEDEFIANT.IO for more DeFi news 📰
ICYM Stories from Yesterday
Most Read This Week
The Defiant is a daily newsletter focusing on decentralized finance, a new financial system that’s being built on top of open blockchains. The space is evolving at breakneck speed and revolutionizing tech and money. Sign up to learn more and keep up on the latest, most interesting developments. Subscribers get full access, while free signups get only part of the content. Click here to pay with DAI (for $100/yr) or sub with fiat by clicking on the button above ($10/mo, $100/yr).