As posted by banteg on Discord, at 5:14 p.m. ET:
“Attacker got away with 2.8m, dai vault lost 11.1m.”
Affirming the exploit, Yearn finance, through a tweet, said: “we have noticed the V1 yDAI vault has suffered an exploit. The exploit has been mitigated”.
The report said an Aave flash loan was used to trigger the vault draining, according to an Ethereum address presumed to be associated with the exploit.
Yearn users across their respective Discord and Telegram channels began reporting drains Thursday afternoon. Jeffrey Bangos, at 4:38 p.m. ET in the Yearn Discord server, wrote, “Anyone know why v1Dai vault is showing that I’ve lost thousands of Dai in the last few minutes?”
After several reports from the community, the v1 DAI vault’s front end at around 5 pm on the Yearn website showed a loss of 1059%.
According to a blog post, the affected Vault was updated to a new investment strategy last month.
At the time of the attack, its strategy was to deposit all funds into the “3pool” on the automated market maker (AMM) Curve. Curve’s 3pool contains DAI, USDT, and USDC, allowing users to swap any of the stablecoins for another at very low slippage.
When contacted by Coindesk, Curve CEO said, “In a nutshell someone deposited a bunch to Curve 3pool to manipulate DAI price given by the pool”.
He also explained:
“Vault somehow was relying on the DAI price given by this pool. Then the contract withdrew after the attack. And repeated many times taking flash-borrowed funds.”
Egorov expressed shock that the vulnerability would not have happened, saying:
“That’s a well known issue (one could have it with Uniswap, too, however Uniswap is not so popular for yield farming). I’ve expressed my thoughts to yearn team how this could have been prevented (and similar vulnerabilities, too). But honestly, didn’t expect them to have such a mistake in the code, that was a surprize to me.”