February 5, 2021: Yearn Hacked for $11MM 🕵️💰

Keep Ahead of the Curve

Here are today’s trends to watch from Curve Market Cap:

Sad news for DeFi this morning, as an $11MM hack hit Yearn.

yearn.finance @iearnfinance

We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow.

10:09 PM ∙ Feb 4, 2021

---

stani.eth 👻 v2 is live 👻 @StaniKulechov

Complex exploit with over 160 nested transactions transactions and 8,6 mm gas used (around 75% of the block) resulted to 2.7 mm USD loss 🤯 etherscan.io/tx/0x6dc268706…

yearn.finance @iearnfinance

We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow.

10:19 PM ∙ Feb 4, 2021

---

The Yearn team was very prompt in addressing the situation within 10 minutes:

I'm just a doggie boi @fubuloubu

Yearn yDAI Vault hack 21:47:39 - discovered 21:57:53 - mitigated ~ 10m14s response time

12:50 AM ∙ Feb 5, 2021

---

banteg @bantg

Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate.

10:18 PM ∙ Feb 4, 2021

---

The hacker got away with $2.8MM of this $11MM for their efforts, although Tether put a freeze on the Tether portion of the funds:

Paolo Ardoino @paoloardoino

. @Tether_to just froze 1.7M USDt stolen as part of the hack of Yearn DAI v1 vault. More info here

yearn.finance @iearnfinance

We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow.

2:35 PM ∙ Feb 5, 2021

---

A claim has also been filed on Cover:

Alan @chefcoverage

A claim has been filed for @iearnfinance on @CoverProtocol. A snapshot for $COVER tokenholders to vote on the validity of this claim will be posted soon. At the moment, there is a total of 570,000 DAI of coverage circulating. app.coverprotocol.com/app/claims/YEA…

10:54 PM ∙ Feb 4, 2021

---

The remainder of the $11MM? Much of it ran through Curve as part of the hack.

Igor Igamberdiev @FrankResearcher

1/ Flash loaned 116k ETH from dYdX 2/ Flash loaned 99k ETH from Aave v2 3/ Borrow 134M USDC and 129M DAI using ETH as collateral on Compound 4/ Add 134M USDC and 36M DAI to 3crv Curve pool 5/ Withdraw 165M USDT from 3crv Curve pool 6/ Repeat five times👇

11:03 PM ∙ Feb 4, 2021

---

Igor Igamberdiev @FrankResearcher

- Deposit 93M DAI to yDAI vault (less w/ each time) - Add 165M USDT to 3crv pool - Withdraw 92M DAI from yDAI vault (less w/ each time) - Withdraw 165M USDT from 3crv pool 7/ In the last time withdraw 39M DAI and 134M USDC instead USDT 8/ Repay Compound debts 9/ Repay flash loans

11:03 PM ∙ Feb 4, 2021

---

Igor Igamberdiev @FrankResearcher

Each time the attacker had more 3crv tokens, which he was later able to swap for stablecoins. Lol, it's funny how so many flash loans have been used. This means that my new research piece about flash loans, which will be released very soon, will be relevant.

11:03 PM ∙ Feb 4, 2021

---

Igor Igamberdiev @FrankResearcher

I’m seeing some misunderstandings about where does the $11M figure come from so here is the breakdown: - $2.7M exploiter's profit - $3.5M Curve LP fees - $3.5M Curve stakers fees - $1.4M Aave v2 fees

Igor Igamberdiev @FrankResearcher

Ok, new DeFi exploit. Victim: - @iearnfinance Attacker profit: - 513k DAI - 1.7M USDT - remaining 506k 3CRV (~$1) To obtain such a profit, the attacker executed 11 transactions. Below is a very superficial explanation of what was happening in these transactions👇

10:37 AM ∙ Feb 5, 2021

---

Curve was surely not behind the hack, but it ended up being the Curve community made out like bandits, with Curve stakers pocketing more than the hacker:

Julien Thevenard @JulienThevenard

In this exploit, the arber got away with $2.8M and @CurveFinance stakers received over $3M ...

banteg @bantg

Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate. https://t.co/1RWYyu0d5m

10:47 PM ∙ Feb 4, 2021

---

Check out the wild stats on 3pool:

While there’s no way for Curve to automatically return the funds, some in the community have called for voluntary donations to those affected. If we observe any such program being implemented we’ll update here.

For more info, check our live market data at https://curvemarketcap.com/ or our subscribe to our daily newsletter at https://curve.substack.com/. Nothing in our newsletter can be construed as financial advice. The author performs development work for Curve compensated partly in $CRV, all content is otherwise independent.