$YFI exploit sending shockwaves through the market right now! Reminder that #defi is still experimental tech https://t.co/x2Z2rCqjbp — Lark Davis (@TheCryptoLark) February 4, 2021
According to reports from one of Yearn’s developers, the attacker got away with $2.8 million. Yearn disabled deposits into strategies for v1 DAI, TUSD, USDC, and USDT as they investigated the issue.
Reports suggest that the attacker’s profits consisted of 513k DAI, 1.7 million USDT, and 506K in 3CRV tokens.
The attacker executed 11 transactions in order to obtain these profits, including multiple ETH flash loans from dYdX and Aave v2. Using this ETH as collateral he borrowed USDC and DAI on Compound, later adding this to the 3CRV Curve pool.
After the series of transactions, in each instance, the attacker had more 3CRV tokens, which he was later able to swap for stablecoins.
Those that attempted to analyze the hack believed this to be an economic exploit of a strategy automating single asset entry into a liquidity provider (LP) which has been pushed too far into one asset.
Aave founder Stani Kulechov called this a ‘complex exploit’, stating on Twitter that the attack consisted of over 160 nested transactions. Of the $11 million loss to the vault, the attacker’s profits were only $2.8 million as over $8.6 million amounted to gas costs.
The price of YFI has recovered slightly to $32,359 at the time of writing.