Value DeFi protocol suffers $6 million flash loan exploit

Following a Twitter thread on Friday that highlighted the decentralized finance protocol’s flash loan exploit prevention methodology, Value DeFi appears to have been the victim of a $6 million flash loan exploit. 

At roughly 10:45 AM EST, a user took out a flashloan of 80,000 ETH (over $36 million) from lending protocol Aave. Aave developer Emilio Frangella immediately called attention to the loan:

80.000 eth flashloan on @AaveAave https://t.co/ngnHIoNKpi

— Emilio Frangella (@The3D_) November 14, 2020

According to Emiliano Bonassi, a self-described whitehat hacker and the co-founder of DeFi Italy, the attacker also sourced an additional $116 million flash loan in DAI from Uniswap.

Bonassi says that the attacker swapped the flash-loaned ETH for stablecoins, deposited part of the flash-loaned DAI into Value DeFi's multi-stablecoin vault, and then conducted a series of stablecoin swaps between USDT, USDC, and DAI designed to exploit the pricing used by the Value DeFi vault's withdrawal method.

This is the complex exploit I've ever seen. It used 2 FLASHLOANS, one with @AaveAave (80k ETH) and one using flashswap with @UniswapProtocol (116M DAI).In the image the steps! pic.twitter.com/nTm2SEgsur

— Emiliano Bonassi | emiliano.eth (@emilianobonassi) November 14, 2020

 In an interview with Cointelegraph, Bonassi said that while it was conceptually similar to the recent attack on Harvest Finance, it was among the most complex exploits he'd seen, and "one of the very first times" an attacker has utilized two flash loans at once.

At 11:05, a statement in the community Discord acknowledged the exploit: 

We are aware of the current situation with the MultiStables vault. Please give us a bit time to check. Every other vaults and pools are working normally.

Shortly after the exploit, the attacker followed up with an Ethereum transaction that seemed to taunt the Value DeFi protocol with a message sent to the protocol’s deployer address:

"do you really know flashloan?"

The attacker paid $.31 in ETH from his profits to send the message.

At 12:12, the protocol said in a statement on Twitter that they were preparing a postmortem on the exploit, which they said led to a loss of $6 million for users: 

The MultiStables vault was the subject of a complex attack that resulted in a net loss of $6M. https://t.co/dnFRa5yPBJWe are currently working on a postmortem and are exploring ways to mitigate the impact on our users.

— Value DeFi Protocol (@value_defi) November 14, 2020

Since the attack, the value of the $VALUE token has plunged over 25%, from 2.73 to 2.01 at press time. 

This exploit is just the latest in what has been a troubling week across the DeFi space that also featured an attack on the Akropolis protocol. In a tweet Stani Kulechov of Aave signaled that the exploit is a sign of expanding attack vectors:

“Building resilient DeFi is becoming difficult.”

This article has been updated to include additional information

Warp Finance adds Chainlink oracles to protect against flash loans   Jan. 8, 2021
Hacker tries to exploit bridge protocol, fails miserably: Finance Redefined   Aug. 27, 2022
No more wrapped Bitcoin? This DeFi platform brings native BTC lending to Ethereum   Oct. 1, 2021
Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11–18   Nov. 19, 2020
Aurora pays $6M bug bounty to ethical security hacker through Immunefi   June 7, 2022