Tokens worth $2.8 Million were stolen by an attacker who took advantage of a Yearn Finance exploit on January 4th, with a total of $11 million being lost from DAI vault.
The attack on Yearn Finance took advantage of an Aave flash loan to drain the vault, using over 160 nested transactions to commit the exploit that resulted in $8.6 million in gas fees.
The popular DeFi yield farming project’s official Twitter account announced the attack by stating: “We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow.”
A vulnerability disclosure report was published the next day in the project’s official Github, providing further details on the attack and more information on how the exploit took place.
Getting Into the Yearn Vault
According to the report, Yearn’s security team and multi-sig wallet signers were able to stop the attack while it was underway only 11 minutes after it been reported, saving more than 2 thirds of the vault’s total deposits ($35 Million).
The suspicious activity by a contract was reported by Andre Cronje at 21:45 (UTC), which was later found to be an exploit achieved by debalancing the exchange rate between the stablecoins in the pool, making the yDAI vault deposit into the pool at an unfavorable rate, and then reversing the first imbalance.
After repeating this process in 11 transactions that took place over 38 minutes, the attacker was able to extract $2.8 from the vault before Yearn’s team mitigated the attack.
The security team’s report identified 3 factors as contributing to the exploit, which included a loose slippage protection value, null withdrawal fee, and the vault being a v1 vault.
The Controversy Around Tether’s Decentralization
Tether Ltd. announced on February 5th, e company behind the stablecoin Tether (USDT), that it had frozen part of the funds stolen from Yearn Finance, mitigating the loss by $1.7 million. This move by Tether will effectively prevent the attacker from using the funds in any way.
This is not the first time that Tether freezes funds acquired by hackers. The company froze $20 million back in 2020 when the popular cryptocurrency exchange KuCoin lost over $200 million after being attacked.
These decisions have been controversial as a result of the lack of decentralization that allowed Tether to take such actions, which according to critics would be against the spirit of decentralized finance.
Paolo Ardoino, CTO of Tether, replied to critics by Tweeting:
“I want to use this occasion to remind everyone that Tether $USDt is a centralized stablecoin using blockchains as transport layer. Among Tether duties there is the responsibility of acting and collaborating with LE and regulators regarding potential dangerous behavior.”
While cryptocurrencies tend to be as decentralized as possible, it is a common misunderstanding that this is a characteristic innate to the technology. While decentralization comes with some benefits for the users of a platform, cases like this one continue to generate discussion around the cons of total decentralization.
YFI Felt the Effects
Yearn Finance’s token, YFI, had been experiencing an uptrend since the start of February the 1st. However, the events transcurred on February the 4th saw the token’s value drop after having reached its highest point in the last 2 weeks ($34.386).
The value of the token dropped by about 15%in a matter of minutes after news of the attack became public, rebounding slightly but staying under the initial value ever since.
The protocol’s decentralized governance recently passed a vote to mind 6666 new YFI tokens to ensure the future development of the protocol, which would represent over $150 million.
The proposal passed the vote with a count of 1,670 YFI to 331, which required 4089 YFI to be staked.
If the changes are approved by two-thirds of the Yearn Multisig wallet members, 66% of the new tokens would be set aside as treasury while 33% would be issued to key contributors.