February 5, 2021: Yearn Hacked for $11MM 🕵️💰

Keep Ahead of the Curve

Here are today’s trends to watch from Curve Market Cap:

Sad news for DeFi this morning, as an $11MM hack hit Yearn.

yearn.finance @iearnfinance

We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow.

February 4th 2021

380 Retweets1,233 Likes

stani.eth 👻 v2 is live 👻 @StaniKulechov

Complex exploit with over 160 nested transactions transactions and 8,6 mm gas used (around 75% of the block) resulted to 2.7 mm USD loss 🤯 etherscan.io/tx/0x6dc268706…

yearn.finance @iearnfinance

We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow.

February 4th 2021

44 Retweets193 Likes

The Yearn team was very prompt in addressing the situation within 10 minutes:

I'm just a doggie boi @fubuloubu

Yearn yDAI Vault hack 21:47:39 - discovered 21:57:53 - mitigated ~ 10m14s response time

February 5th 2021

7 Retweets136 Likes

banteg @bantg

Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate.

February 4th 2021

252 Retweets699 Likes

The hacker got away with $2.8MM of this $11MM for their efforts, although Tether put a freeze on the Tether portion of the funds:

Paolo Ardoino @paoloardoino

. @Tether_to just froze 1.7M USDt stolen as part of the hack of Yearn DAI v1 vault. More info here

yearn.finance @iearnfinance

We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow.

February 5th 2021

21 Retweets112 Likes

A claim has also been filed on Cover:

Alan @chefcoverage

A claim has been filed for @iearnfinance on @CoverProtocol. A snapshot for $COVER tokenholders to vote on the validity of this claim will be posted soon. At the moment, there is a total of 570,000 DAI of coverage circulating. app.coverprotocol.com/app/claims/YEA…

February 4th 2021

32 Retweets94 Likes

The remainder of the $11MM? Much of it ran through Curve as part of the hack.

Igor Igamberdiev @FrankResearcher

1/ Flash loaned 116k ETH from dYdX 2/ Flash loaned 99k ETH from Aave v2 3/ Borrow 134M USDC and 129M DAI using ETH as collateral on Compound 4/ Add 134M USDC and 36M DAI to 3crv Curve pool 5/ Withdraw 165M USDT from 3crv Curve pool 6/ Repeat five times👇

February 4th 2021

13 Retweets165 Likes

Igor Igamberdiev @FrankResearcher

- Deposit 93M DAI to yDAI vault (less w/ each time) - Add 165M USDT to 3crv pool - Withdraw 92M DAI from yDAI vault (less w/ each time) - Withdraw 165M USDT from 3crv pool 7/ In the last time withdraw 39M DAI and 134M USDC instead USDT 8/ Repay Compound debts 9/ Repay flash loans

February 4th 2021

6 Retweets122 Likes

Igor Igamberdiev @FrankResearcher

Each time the attacker had more 3crv tokens, which he was later able to swap for stablecoins. Lol, it's funny how so many flash loans have been used. This means that my new research piece about flash loans, which will be released very soon, will be relevant.

February 4th 2021

9 Retweets356 Likes

Igor Igamberdiev @FrankResearcher

I’m seeing some misunderstandings about where does the $11M figure come from so here is the breakdown: - $2.7M exploiter's profit - $3.5M Curve LP fees - $3.5M Curve stakers fees - $1.4M Aave v2 fees

Igor Igamberdiev @FrankResearcher

Ok, new DeFi exploit. Victim: - @iearnfinance Attacker profit: - 513k DAI - 1.7M USDT - remaining 506k 3CRV (~$1) To obtain such a profit, the attacker executed 11 transactions. Below is a very superficial explanation of what was happening in these transactions👇

February 5th 2021

24 Retweets82 Likes

Curve was surely not behind the hack, but it ended up being the Curve community made out like bandits, with Curve stakers pocketing more than the hacker:

Julien Thevenard @JulienThevenard

In this exploit, the arber got away with $2.8M and @CurveFinance stakers received over $3M ...

banteg @bantg

Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate. https://t.co/1RWYyu0d5m

February 4th 2021

45 Retweets214 Likes

Check out the wild stats on 3pool:

While there’s no way for Curve to automatically return the funds, some in the community have called for voluntary donations to those affected. If we observe any such program being implemented we’ll update here.

For more info, check our live market data at https://curvemarketcap.com/ or our subscribe to our daily newsletter at https://curve.substack.com/. Nothing in our newsletter can be construed as financial advice. The author performs development work for Curve compensated partly in $CRV, all content is otherwise independent.