At 5:14 p.m. ET, banteg, from the Yearn team, posted in Discord: "Attacker got away with 2.8m, dai vault lost 11.1m."
An Aave flash loan was used to trigger the vault draining, according to an Ethereum address presumed to be associated with the exploit.
Yearn Finance is one of the leading venues in DeFi, known for always enabling depositors to recoup all their yield in the token they initially deposited. The platform recently updated to a new suite of vaults, but like any smart contract platform the prior smart contracts persisted. According to DeFi Pulse, Yearn currently has $500 million worth of assets entrusted to it. Even on version 1, many of its pools earn annual yields of well over 20%.
Users in the Yearn Discord and Telegram channels began reporting drains Thursday afternoon. At 4:38 p.m. ET in the Yearn Discord server, Jeffrey Bongos wrote, "Anyone know why v1Dai vault is showing that I've lost thousands of [d]ai in the last few minutes?"
At a little after 5 p.m. ET, the front end of the v1 DAI vault on the Yearn website showed a loss of 1,059%.
The vault attacked was Yearn's v1 DAI vault, which updated to a new investment strategy last month, according to a blog post published by the Yearn team on Jan. 23.
"In a nutshell, someone deposited a bunch to Curve 3pool to manipulate DAI price given by the pool," Curve CEO Michael Egorov told CoinDesk. "Vault somehow was relying on the DAI price given by this pool. Then the contract withdrew after the attack. And repeated many times taking flash-borrowed funds."
UPDATE (Feb. 5, 2:41 UTC): Adds comments from Curve CEO Michael Egorov.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.