Yearn.Finance, one of the popular decentralized finance (DeFi) platforms, has suffered a massive attack on one of its DAI lending pools on late Thursday that resulted in the total loss of $11 million, the protocol confirmed on social media.
We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow.
— yearn.finance (@iearnfinance) February 4, 2021
The attacker used an Aave flash loan to trigger the vault draining. While the protocol lost $11 million from its compromised vault, the attacker managed to get away with only $2.8 million.
“Attacker got away with 2.8m, dai vault lost 11.1m,” Yearn team posted on Discord.
The team is now investigating the breach and, as a precautionary measure, suspended all deposits onto its V1 DAI, USDC, USDT and TUSD.
Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate. pic.twitter.com/1RWYyu0d5m
— banteg (@bantg) February 4, 2021
Here’s Why Despite the Recent Bitcoin Crash, All Hope Isn't LostGo to article >>
Yearn developer Banteg further shared that the hacker stole 513,000 DAI, $1.7 million in USDT and the rest in CRV tokens.
Aave Founder, Stani Kulechov detailed that the attacker used a complex 160 nested transactions across multiple DeFi platforms and spent $5,000 in gas fees for the attack.
Interestingly, more than $3 million in the compromised DAI ended up in a liquidity pool of DeFi lending platform, Curve.
— stani.eth 👻 v2 is live 👻 (@StaniKulechov) February 4, 2021
A Popular DeFi Platform
Yearn.Finance is one of the major DeFi protocols with a total locked-in value of little less than $500 million, according to DeFi Pulse. The platform got popular last year among yield farmers as it always enables depositors to recoup all their yield in the token they initially deposited.
Furthermore, YFI token, the governance token of the platform, suffered after the attack and has dropped 15 percent after the news of the attack become public.