Curve liquidity providers see $3M windfall from $11M Yearn.finance exploit

Published at: Feb. 5, 2021

DeFi protocol Yearn Finance has reported that its V1 yDAI vault was exploited by a hacker to the tune of $11 million on Feb. 5. However, the hacker failed to reap the lion’s share of the heist, with Curve liquidity providers making more from the attack than its mastermind.

While the vault lost $11 million in total, Yearn developer “Banteg” tweeted that the hacker had only been able to profit to the tune of $2.8 million. The team has suspended all deposits to its V1 DAI, USDC, USDT, and TUSD amid an ongoing investigation.

Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate. pic.twitter.com/1RWYyu0d5m

— banteg (@bantg) February 4, 2021

Cointelegraph reached out to the developer for comments regarding the attack, but Banteg indicated the team does not wish to make further comments on the incident until their investigations into the exploit have been completed.

Banteg did share an analysis of the incident suggesting the hacker had been able to steal 513,000 DAI and $1.7 million USDT, with the remainder of their stash taking the form of CRV tokens.

Stani Kulechov, the founder of flash-loan protocol Aave, tweeted that the attack comprised a complex exploit involving more than 160 transactions across multiple DeFi platforms that spent more than $5,000 in gas fees.

Complex exploit with over 160 nested transactions transactions and 8,6 mm gas used (around 75% of the block) resulted to 2.7 mm USD loss https://t.co/WdqMGTuBQF https://t.co/MoaZIfGKGa

— stani.eth v2 is live (@StaniKulechov) February 4, 2021

VC investor Julien Thevenard noted that more than $3 million of the funds stolen from the vault had been received by liquidity providers on DeFi lending platform Curve. Banteg indicated to Cointelegraph that Thevenard’s analysis is accurate.

In this exploit, the arber got away with $2.8M and @CurveFinance stakers received over $3M ... https://t.co/TV7u2VM4BU pic.twitter.com/NgyIyjpbwC

— Julien Thevenard (@JulienThevenard) February 4, 2021

News of the exploit appears to have driven a 15% crash in the price of Yearn Finance’s governance token in less than two hours with YFI plunging from $35,000 to a local low of $29,600. YFI last changed hands for $31,070 at the time of writing.

Despite the crash, Yearn’s total value locked has remained relatively steady, with its TVL falling just 4% from $526.5 million to $507.2 million, according to DeFi Pulse.

The Feb. 4 attack is not the first to target a project from Yearn lead developer Andre Cronje, with a hacker draining $15 million from Eminence — an unfinished project that Cronje’s followers rushed to lock funds in — after the developer went to bed one night in September 2020.

Tags
Related Posts
​​Cream Finance DeFi platform loses $19M in a flash loan hack
Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform. An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield. Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated. C.R.E.A.M. v1 market on …
Decentralization / Aug. 30, 2021
‘DeFi done right’: Layer-one protocol launches mainnet
A decentralized finance protocol has launched its mainnet — describing it as a crucial step on the journey to a frictionless financial future. Radix, which describes itself as a platform for smart money, is also launching Instapass with its Olympia mainnet — an optional user and developer service that delivers the world’s first single sign-on solution for building compliant DeFi. The Radix mainnet is being positioned as a generational improvement in the history of decentralized ledger computing — and one that delivers 100 times more executional efficiency than the Ethereum Virtual Machine. This comes hot on the heels of the …
Decentralization / July 29, 2021
Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack
Major decentralized finance protocol Yearn.Finance (YFI) has restored its yDAI vault in the aftermath of a $11 million exploit by hackers. Yearn announced Tuesday that they opened a Maker vault with YFI tokens from the treasury and minted 9.7 million DAI tokens from the vault to keep the yDAI vault intact. Using borrowed money allows the project to reimburse users without taking a hit to the treasury, either due to possible YFI appreciation or by gradually repaying the debt with protocol revenue. The team said that this is a one-off occurrence, as they expect users to hedge their own risks …
Technology / Feb. 9, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Tornado Cash says it's using Chainalysis oracles to block access from OFAC sanctioned addresses
On Friday, Tornado Cash announced that it was using oracle contracts from Chainalysis to block wallet addresses sanctioned by the U.S. Office of Foreign Assets Control, or OFAC. The move comes after the U.S. Department of the Treasury linked North Korean cybercriminal Lazarus Group as an alleged perpetrator for the recent $600 million+ Ronin Bridge exploit. As told by blockchain analytics firm Elliptic, the hackers have sent approximately $80.3 million worth of Ether (ETH) through Tornado Cash. "Maintaining financial privacy is essential to preserving our freedom; however, it should not come at the cost of non-compliance," said the Tornado Cash …
Technology / April 15, 2022