DeFi's Yearn.Finance Protocol Suffers $2.8 Million Flash Loan Attack

Yearn.Finance DeFi (decentralized finance) protocol has announced that one of its DAI stablecoin lending pools has been exploited, leading to the loss of $2.8 million.

Banteg, one of the Yearn’s core developers, shared the incident on Twitter social media. He said:

“Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate.”

Yearn.Finance Twitter official page also confirmed the incident: "We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow."

The suspect is said to have used an Aave flash loan to trigger the vault draining, thus getting away with $2.8 million and the vault losing $11 million.

The founder of DeFi platform Aave, Stani Kulechov, talked about the transaction at the core of the exploit, involving multiple DeFi protocols and over $5,000 worth of Ethereum transaction fees. Kulechov said: "Complex exploit with over 160 nested transactions and 8,6 mm gas used (around 75% of the block) resulted to 2.7 mm USD loss."

The vault attacked was Yearn’s v1 DAI vault, which updated to a new investment strategy in January. At the time of the attack, the vault’s strategy was to deposit all funds into the “3pool” on the AMM (automated market marker) Curve. Curve’s 3pool contains USDC, USDT, and DAI, allowing users to swap any of the stablecoins for another efficiently.

DeFi’s Challenges

Yearn.Finance is one of the leading protocols running on the Ethereum blockchain that allows users to optimize their earnings on cryptocurrencies through trading and lending services. Yearn.Finance capitalizes on a practice commonly identified as “yield farming” in which users lock up cryptocurrencies in the DeFi protocol so as to earn more crypto assets. However, such protocols have become a nightmare for some crypto users who have been robbed and conned of millions of dollars in valuable digital assets.

DeFi smart contracts are not infallible and there is always a risk that users may lose their funds if they use them. However, this does not mean the DeFi is inherently dangerous, but users should exert caution when leveraging its protocols.