Yearn Finance faced an attack in its DAI lending pool this Thursday (February 4, 2021). According to their discord, the threat actor “got away with 2.8m, dai vault lost 11.1m.” Now, it looks like the DeFi leader is willing to make up for those affected. Yearn tweeted:
“Yearn is evaluating options to make the exploited yDAI vault whole. The current path involves creating a Maker CDP with YFI and drawing the deficit, which will be repaid with protocol fees. To prevent realized loss, please refrain from withdrawing until the remedy is in place.”
What Happened In The Attack?
The threat actor exploited the yDAI vault using Aave, a DeFi lending platform that allows its users to make flash loans. As per Yearn, the hacker used an Aave flash loan to trigger the yDAI vault drain. While Yearn had upgraded the majority of its smart contracts, some old bigs seem to have persisted. The Yearn community on Discord and Telegram had reported the incident on Thursday (February 4, 2021) afternoon.
In its post-mortem report, Yearn noted:
“An exploit against Yearn’s v1 yDAI vault has led to 11m DAI of vault deposits being lost. Acting in roughly 11 minutes, Yearn’s security team and multi-sig wallet signers were able to stop the exploit while it was underway, saving 24m DAI out of the vault’s total 35m DAI deposits. By creating exchange rate imbalances in Curve’s 3pool, an exploiter was able to cause Yearn’s yDAI vault to deposit and withdraw funds from 3pool at unfavorable rates across a series of transactions.”
Tether Ltd, the largest stablecoin issuer in the world, had also frozen $1.7M USDT that was apparently involved in the breach to contain this hack's damages. Tether CTO Paolo Ardoino himself confirmed this.
What Is Yearn Finance?
Founded by Andre Cronje, Yearn is a decentralized ecosystem of aggregators that utilizes lending services such as Aave, Compound, Dydx, and Fulcrum to optimize your token lending. The tokens deposited in Yearn get converted to yTokens, which are periodically rebalanced to choose the most profitable lending services. As per DeFi Pulse, a little over $470M is currently locked up in Yearn contracts.
Following the hack, Yearn posted the following warning on its Twitter:
“In general, investing in Yearn is at your own risk. If you wish to protect yourself from exploits of external protocols in the future, please consider purchasing insurance for your deposits from Cover or Nexus mutual.”
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.