On November 14th, Value DeFi–a yield aggregating protocol–was exploited for $7.4 million. The attacker used the popular attack method of taking out a flash-loan to alter the prices of tokens in Value DeFi’s vaults before buying up the cheap tokens for themself. Subsequently, the attacker returned $2 million of the $7.4 million that they stole.
Value DeFi advertised its platform as having flash-loan attack prevention, fake-token attack prevention, and re-entrance attack prevention. But the attacker proved that none of those statements were true and left the Value DeFi team a message saying “ Do you really know flash loan?”
A sympathetic attacker
Two individuals reached out to the attacker via their wallet address and left them a private note pleading for the attacker to return their funds. One individual claimed to be a nurse who lost $100,000 in the attack; their note said,
I lost $100,000 in your attack. I am a nurse. These are all my savings. I hope you can return it to me. Everyone will get sick. Think of the nurses who care you when you are sick. I wish you always healthy and enjoy the happiness of the world. GOD BLESS YOU.
To which the attacker replied, “there are so many people who lack knowledge and caution, and sooner or later those money will be lost,” but regardless, sent the alleged nurse $50,500 in DAI.
Another individual sent the hacker a private note saying that they were a student who had lost $200,000 of their family’s life savings due to the attack. Shortly afterward, the attacker sent the alleged student $45,450 in DAI.
More attacks before the year-end?
The Value DeFi flash-loan exploit is the second flash-loan attack in just one week; a few days ago, the DeFi platform Akropolis was the victim of a flash-loan attack that led to the loss of $2 million. In each instance, the attacker did not actually hack or breach the DeFi platform. Instead, they used their advanced understanding of how DeFi smart contracts interact with one another to take advantage of flaws in the project’s code.
When it comes to DeFi platforms and projects, you must proceed with caution, the DeFi space is very new and there are still many undiscovered attack vectors that could leave you with your funds being stolen or permanently locked in the DeFi protocol.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.