Yearn.Finance, a decentralized finance (DeFi) project, suffered an exploit in which v1 yDAI lost about $11 million in digital assets. The exploit has now been eliminated.
The Yearn.Finance project allows for "income farming": users put their digital assets into pools and get interest for it. The platform recently upgraded its vaults, but the smart contracts remained unchanged. According to DeFi Pulse, the Yearn.Finance project is "entrusted" with $500 million in assets.
Users of Yearn's Discord and Telegram channels began reporting the leaked funds on the afternoon of Feb. 4. One user wrote, "Does anyone know why I have it written that I've lost thousands of DAI in the last few minutes?" In addition, a 1,059% loss notice appeared on Yearn.Finance's vault user interface.
Yearn.Finance also reported the attack on social networking site Twitter. Later a developer under the pseudonym banteg wrote that the organizer of the attack managed to get away with $2.8 million, and v1 yDAI vault lost about $11 million in assets. Deposits in DAI, TUSD, USDC and USDT are deactivated while the investigation is underway.
After word of the attack, Twitter user UniWhales DAO reported a large sale of YFI for ETH. The cryptocurrency sank in value by more than $5,000, from $34,979 to $29,580. YFI then gradually recovered to $31,500.
At the time of the attack, all funds were placed in 3pool on the Curve platform. 3pool houses DAI, USDT, and USDC, allowing users to exchange staplecoins for other assets with limited slippage.
According to Curve CEO Mikhail Egorov, someone invested "a lot of money" in 3pool to manipulate the price of DAI. Curve relied on that price, and after the attack, the contract was terminated. Such actions were repeated several times, and the attacker was able to take the borrowed funds.
Egorov added that this problem is well known and shared his thoughts with the Yearn.Finance team on how to prevent such vulnerabilities.
As a reminder, Yearn.Finance founder Andre Cronje launched Eminence gaming protocol in September, but investors lost $15 million due to a critical vulnerability.