UPDATE (Feb. 5, 15:41 UTC): Yearn published a detailed post-mortem about the exploit on Friday morning. Further, Tether announced the freeze of $1.7 million in USDT involved in the attack, according to Tether CTO Paolo Ardoino.
At 5:14 p.m. ET, banteg, from the Yearn team, posted in Discord: “Attacker got away with 2.8m, dai vault lost 11.1m.”
An Aave flash loan was used to trigger the vault draining, according to an Ethereum address presumed to be associated with the exploit.
Yearn Finance is one of the leading venues in DeFi, known for always enabling depositors to recoup all their yield in the token they initially deposited. The platform recently updated to a new suite of vaults, but like any smart contract platform the prior smart contracts persisted. According to DeFi Pulse, Yearn currently has $500 million worth of assets entrusted to it. Even on version 1, many of its pools earn annual yields of well over 20%.
Users in the Yearn Discord and Telegram channels began reporting drains Thursday afternoon. At 4:38 p.m. ET in the Yearn Discord server, Jeffrey Bongos wrote, “Anyone know why v1Dai vault is showing that I’ve lost thousands of [d]ai in the last few minutes?”
At a little after 5 p.m. ET, the front end of the v1 DAI vault on the Yearn website showed a loss of 1,059%.
The vault attacked was Yearn’s v1 DAI vault, which updated to a new investment strategy last month, according to a blog post published by the Yearn team on Jan. 23.
The vault’s strategy at the time of the attack was to deposit all funds into the “3pool” on the automated market maker (AMM) Curve. Curve’s 3pool contains DAI, USDT and USDC, allowing users to swap any of the stablecoins for another at very low slippage.
“In a nutshell, someone deposited a bunch to Curve 3pool to manipulate DAI price given by the pool,” Curve CEO Michael Egorov told CoinDesk. “Vault somehow was relying on the DAI price given by this pool. Then the contract withdrew after the attack. And repeated many times taking flash-borrowed funds.”
"That's a well known issue (one could have it with Uniswap, too, however, Uniswap is not so popular for yield farming). I've expressed my thoughts to Yearn team how this could have been prevented (and similar vulnerabilities, too). But honestly, didn't expect them to have such a mistake in the code, that was a surprise to me."
UPDATE (Feb. 5, 2:41 UTC): Adds comments from Curve CEO Michael Egorov.