The forward pocketed $ 2.8 million from Yearn Finance.
The yDai safe was exploited in a new „flash loan“ attack.
The YFI price fell 12% while the CRV gained 15%
Another exploit in a decentralized finance protocol allowed the attacker to steal several million dollars. This time, the protocol in question is Yearn Finance.
A developer Yearn Finance reported that its safe v1 yDAI was infiltrated by a malicious actor in the early hours of February 5. He added that the hacker ran away with $ 2.8 million, and the safe lost $ 11 million.
Strategy deposits have been disabled for version 1 DAI, TUSD, USDC, USDT vaults while the DeFi platform investigates. It appears that Curve Finance’s liquidity providers also benefited from the attack, to the tune of around $ 3 million.
A new flash loan attack
Research analyst Igor Igamberdiev analyzed the facts, stating that the assailant carried out eleven transactions. It started with a flash loan of 116,000 ETH from the dYdX exchange. Another flash loan of 99,000 ETH was granted by Aave v2, which was then used as collateral to borrow 134 million USDC and 129 million Dai on the Compound Finance platform.
The hacker added USDC and 36 million DAI to the 3crv Curve pool in order to remove 165 million USDT. This operation was repeated five times.
The remaining 93 million Dai was deposited in Yearn’s safe and the 165 million USDT went to the 3crv pool. The funds were then withdrawn from both pools after winning 3crv tokens, with the last withdrawal being 39 million Dai and 134 million USDC instead of USDT. Compound’s debt and the flash loan were then repaid.
“Each time the attacker had more 3crv tokens, which he could then exchange for stablecoins.”
Stani Kulechov, founder of Aave, said in a tweet that it was a complex attack involving more than 160 transactions on multiple DeFi platforms, costing more than $ 5,000 in gas fees. Investor Julien Thevenard said Curve Finance shareholders received more than $ 3 million from the loophole exploitation.