Global fintech and funding innovation ecosystem

First Major DeFi Hack of the Year Explained

The Defiant | Owen Fernau | Feb 5, 2021

yearn finance hack step 1 of multiple - First Major DeFi Hack of the Year Explained

The latest on the Yearn Finance exploit below.

Yearn Finance, the yield aggregation protocol founded by Andre Cronje, has been hacked. One of the platform’s so-called vaults lost $11M, and the attacker got away with $2.8M.

It’s the first DeFi hack of the year, after $100M worth of attacks in the sector last year, according to a report by Ciphertrace. About half of the exploits, including this one from Yearn, have used flash loans (loans which don’t require collateral as long as they’re returned on the same block).

While the Yearn team has yet to release a postmortem, the attack’s nature could be categorized as an arbitrage. The hacker used a flash loan to borrow millions in crypto assets, use those assets as collateral to borrow more crypto, then repeatedly deposited those borrowed assets in a Yearn pool. The exploit consisted in manipulating the Dai rate in the pool, and benefitting from that rate by exchanging the liquidity provider tokens earned for stablecoins.

See:  Are Stablecoins Better Than Bitcoin?

Most if not all DeFi attacks involve complex financial engineering, manipulating token prices, or liquidity in token pools, to get crypto at extremely favorable rates. It highlights the need for code in DeFi protocols to be ironclad, which is often far from reality. These projects are sometimes hacked together over the weekend and released without formal audits or tests —a “test in prod” strategy which has been championed by Yearn’s founder himself.

Step by Step

Here’s how it went down.

The attacker used flash loans to borrow 116K Ether from margin trading platform dYdX, and 99K from lending platform, Aave.

They were then able to use 215K ETH, worth ~$342M, as collateral to borrow 134M USDC and 129M DAI from lending platform, Compound Finance.

The attacker then added all of the borrowed USDC and 36M of the borrowed DAI to Curve Finance’s 3-token USDC/DAI/USDT pool. They then withdrew 165M USDT from the Curve pool.

See:  Fidelity-backed crypto security startup Fireblocks launches ‘Secure Asset Transfer Network’

Then the attacker repeated the strategy of depositing the remaining 93M DAI, borrowed from Compound into Yearn’s yDAI vault, adding the 165M USDT back into the Curve 3-token stablecoin pool (3pool), withdraw 92M DAI from the yDAI vault, then withdrawing the 165M USDT again from the Curve pool.

Each time the hacker executed the repeating part of the strategy they gained more Curve’s DAO Token, which they later converted to stablecoins, eventually netting them $2.8M, and losing Yearn’s vault, for whose deposits are now disabled, $11M.

Under the Hood

Key to understanding the exploit is that Yearn’s yDAI vault automatically deposits DAI into Curve’s 3pool, which the attack had already heavily saturated with USDC and DAI. In adding the third asset, USDT, to the pool, DAI is devalued, according to Curve’s protocol mechanics.

After withdrawing the DAI from yDAI, at a small loss due to the devaluation, and also withdrawing the USDT, USDC, and other DAI from the 3pool, the attacker reaps the extra rewards of Curve’s DAO Tokens for providing liquidity during a time when the DAI rate strayed from the pool's other two assets.

Continue to the full article --> here


NCFA Jan 2018 resize - First Major DeFi Hack of the Year Explained The National Crowdfunding & Fintech Association (NCFA Canada) is a financial innovation ecosystem that provides education, market intelligence, industry stewardship, networking and funding opportunities and services to thousands of community members and works closely with industry, government, partners and affiliates to create a vibrant and innovative fintech and funding industry in Canada. Decentralized and distributed, NCFA is engaged with global stakeholders and helps incubate projects and investment in fintech, alternative finance, crowdfunding, peer-to-peer finance, payments, digital assets and tokens, blockchain, cryptocurrency, regtech, and insurtech sectors. Join Canada's Fintech & Funding Community today FREE! Or become a contributing member and get perks. For more information, please visit:

Latest news - First Major DeFi Hack of the Year ExplainedFF Logo 400 v3 - First Major DeFi Hack of the Year Explainedcommunity social impact - First Major DeFi Hack of the Year Explained

Support NCFA by Following us on Twitter!

NCFA Sign up for our newsletter - First Major DeFi Hack of the Year Explained


Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen − eleven =