The first DeFi exploit of 2021

Getting your Trinity Audio player ready...

How did it happen?

We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow.

— yearn (@yearnfi) February 4, 2021

It began when the Yearn team announced that they noticed an exploit in the Yearn DAI vault.

Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate. pic.twitter.com/1RWYyu0d5m

— banteg (@bantg) February 4, 2021

Hours later, a Yearn core developer that goes by Banteg, followed up by specifying the exact damage done in the attack; the attacker was able to pocket $2.8 in stolen funds from the exploit and Yearn’s Dai vault sustained a total loss of $11 million.

The exploit happened by way of flash loan attack, a method that we typically see used when it comes to DeFi exploits.  

“In a nutshell, someone deposited a bunch to Curve 3pool to manipulate DAI price given by the pool,” said Curve CEO Michael Egorov, “[Yearn’s] vault somehow was relying on the DAI price given by this pool. Then the contract withdrew after the attack. And repeated many times taking flash-borrowed funds.”

Although the attacker was able to successfully execute the attack, Yearn’s security team was able to mitigate the overall damage by intervening midway through the exploit. 

“Acting in roughly 11 minutes, Yearn’s security team and multi-sig wallet signers were able to stop the exploit while it was underway, saving 24m DAI out of the vault’s total 35m DAI deposits,” said Yearn in their post-mortem report.

Next steps

Yearn has not announced any next steps, recompensation, or insurance plan for Yearn users that suffered losses due to the exploit; however, Tether CTO Paolo Ardoino says that Tether has frozen 1.7M USDT connected to the Yearn exploit.

The Yearn Finance exploit is the first of what will most likely be many DeFi exploits that take place this year. In 2020, 17 major DeFi hacks took place that resulted in a total of $154 in lost funds.