Yesterday, the Yearn Finance team reported that a yDAI exploit led to $2.8 million in losses. An anonymous individual supposedly hacked the yearn DAI v1 vault for $11 million in total but only managed to retrieve a small portion of it.
At the time of writing, Yearn developers have disabled DAI, TUSD, USDC, and USDT vaults while security experts investigate the scene.
The team plans to release a full report on the state of Yearn Vaults and yesterday’s vault. So far, there is no indication of when the report will arrive.
While both Yearn Finance’s and Andre Cronje’s Twitter profiles remain empty, core developer Banteg shared more information on the issue.
In a chain of different tweets, Banteg revealed that Yearn discovered and mitigated the exploit in the span of 10 minutes. In the short time frame, the attacker stole 513k in DAI, $1.7 million in USDT, and 506k in 3CRV. He executed a total of 11 transactions in order to perform the hack.
The exploit was performed through a string of flash loans gathered from dYdX and Aave V2. The hacker used these flash loans to interact with Compound and Curve Finance. After depositing and withdrawing the funds five times in a row, the hacker then directly attacked the yDAI vault on Yearn Finance.
Later on, Aave CEO Stani Kulechov tweeted the exact transaction of the exploit. It reveals that the hacker spent more than $5,000 in gas to extract a total of $2.8 million in DeFi tokens and stablecoins.
A research analyst from The Block also took the time to visualize the $11 million loss that the Yearn Finance yDAI vault had after the exploit. According to the researcher, the exploiter personally took $2.8 million. The rest ($8.4 million) was mostly lost with the vault’s Curve LP fees, Curve Stakers fees, and Aave V2 fees.
Yearn Finance yDAI exploit leads to 12% YFI dump
Only minutes after Yearn Finance shared the news, investors rushed to exchanges to sell YFI tokens. The major inflow of bearish pressure led to a price drop of 12%. Specifically, the governance token dropped from a high of $34,600 to a critical support line at $30,500.
Luckily enough, there were DeFi traders who bought the dip and even profited from it. Soon after the first mini-crash, YFI bounced and returned to $32,700.
At the time of writing, the cryptocurrency ranges as no formidable buyers are willing to step in. It is likely that the community waits for Yearn Finance to release its report and showcase what exactly happened.
In the meantime, blockchain cybersecurity firm PeckShield created a report of its own on February 5 that describes how the incident occurred.
Dubbed the ‘forced investment vulnerability,’ the exploit reportedly occurred through a series of flash loans, trades, and DAI deposits. The entire attack focused on Curve’s 3pool, with a goal to damage the vault.
After performing the same 5 steps numerous times, the hacker completed the exploit and ran away with $2.8 million. With assets being held in the following address, no one knows the real identity of the hacker, and it is unlikely that we will ever find out.
Until the individual sells his crypto for fiat currency, 3rd-party crypto analytics firms will not be able to analyze the flow of money and track it back to the hacker’s personal identity.