DeFi yield farming project Yearn Finance announced that it suffered an exploit in which $11 million was lost. “We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow,” Yearn Finance tweeted.
Yearn developer banteg, one of the administrators of the DeFi project’s website, elaborated on the attack: “Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate.”
The suspected exploit involved 160 “nested transactions,” Aave founder and CEO Stani Kulechov said. Though the attackers robbed Yearn of $11 million, exorbitant fees cost them millions to execute the hack.
They reportedly only profited $2.7 million, while liquidity pool fees and staker fees during the attack both came to $3.5 million each. Aave v2 fees amounted to $1.4 million.
The hackers took out a series of flash loans from dYdX and Aave and used the funds as collateral for another loan on Compound. By doing this, the attacker essentially gamed the exchange rates on Yearn to accumulate CRV tokens to sell for stablecoins.
While the attack has been mitigated, the YFI governance token fell from $34,700 to $30,500. However, it has since recovered slightly above $31,800.
19 Major DeFi Hacks Last Year Alo
DeFi attacks are not uncommon; Almost $100 million was lost in DeFi hacks last year. These types of attacks for 20% of all crypto crimes in 2020.
There were over 19 major DeFi hacks last year, with $25 million lost to a drained dForce smart contract in April and $25 million lost in a flash loan exploit on the Harvest Finance platform in October.
Many of these attacks took advantage of flash loans, giving the tool a rather notorious reputation. The ease of access to flash loans for fast liquidity is a double-edged sword, granting people more financial freedom but also more liquidity to carry out major exploits like the latest yDAI vault hack.