Bitcoin
$37,818.72+1.52%
Ethereum
$2,048.32+1.00%
Binance Coin
$228.70+0.69%
XRP
$0.61040364+1.09%
Solana
$58.24+5.87%
Cardano
$0.38604924+2.25%
Dogecoin
$0.08078697+2.55%
Tron
$0.10328210+1.11%
Toncoin
$2.47+0.68%
Chainlink
$14.52+2.35%
Avalanche
$20.63+1.50%
Polygon
$0.74782388+0.69%
PlayIconNav
Crypto Prices CoinDesk Market Index CoinDesk Market Index
Tech

Yearn Finance DAI Vault 'Has Suffered an Exploit'; $11M Drained

“Attacker got away with 2.8m, dai vault lost 11.1m,” a Yearn Finance developer posted in Discord.

By Brady Dale, William Foxley
AccessTimeIconFeb 4, 2021 at 10:19 p.m. UTC
Updated Sep 14, 2021 at 12:07 p.m. UTC
drain, drained

10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

UPDATE (Feb. 5, 15:41 UTC): Yearn published a detailed post-mortem about the exploit on Friday morning. Further, Tether announced the freeze of $1.7 million in USDT involved in the attack, according to Tether CTO Paolo Ardoino.

Yearn Finance has suffered an exploit in one of its DAI lending pools, according to the decentralized finance (DeFi) protocol’s official Twitter account

At 5:14 p.m. ET, banteg, from the Yearn team, posted in Discord: "Attacker got away with 2.8m, dai vault lost 11.1m."

An Aave flash loan was used to trigger the vault draining, according to an Ethereum address presumed to be associated with the exploit.

Yearn Finance is one of the leading venues in DeFi, known for always enabling depositors to recoup all their yield in the token they initially deposited. The platform recently updated to a new suite of vaults, but like any smart contract platform the prior smart contracts persisted. According to DeFi Pulse, Yearn currently has $500 million worth of assets entrusted to it. Even on version 1, many of its pools earn annual yields of well over 20%.

Users in the Yearn Discord and Telegram channels began reporting drains Thursday afternoon. At 4:38 p.m. ET in the Yearn Discord server, Jeffrey Bongos wrote, "Anyone know why v1Dai vault is showing that I've lost thousands of [d]ai in the last few minutes?"

At a little after 5 p.m. ET, the front end of the v1 DAI vault on the Yearn website showed a loss of 1,059%.

Yearn's YFI governance token had a price drop of $4,000 on the news. Just after the attack became public, the UniWhales Twitter account reported a large sale of YFI for ETH:

The vault attacked was Yearn's v1 DAI vault, which updated to a new investment strategy last month, according to a blog post published by the Yearn team on Jan. 23.

The vault's strategy at the time of the attack was to deposit all funds into the "3pool" on the automated market maker (AMM) Curve. Curve's 3pool contains DAI, USDT and USDC, allowing users to swap any of the stablecoins for another at very low slippage.

"In a nutshell, someone deposited a bunch to Curve 3pool to manipulate DAI price given by the pool," Curve CEO Michael Egorov told CoinDesk. "Vault somehow was relying on the DAI price given by this pool. Then the contract withdrew after the attack. And repeated many times taking flash-borrowed funds."

Egorov added:

"That's a well known issue (one could have it with Uniswap, too, however, Uniswap is not so popular for yield farming). I've expressed my thoughts to Yearn team how this could have been prevented (and similar vulnerabilities, too). But honestly, didn't expect them to have such a mistake in the code, that was a surprise to me."

UPDATE (Feb. 5, 2:41 UTC): Adds comments from Curve CEO Michael Egorov.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish, a cryptocurrency exchange, which in turn is owned by Block.one, a firm with interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets including bitcoin and EOS. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.

Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.