YFI Fixed an attack vector similar to the one used on Harvest Finance where $1 billion was taken away from the platform last week. Harvest finance was a major yield farming protocol on ethereum but it got attacked while wiping more than $30 million from user accounts as reported in our altcoin news.
The pseudonymous attacked leveraged a flash loan along with a series of manipulative transactions between Curve and Uniswap and Harvest which allowed them to steal millions of dollars worth of stablecoins that were set in Harvest pools. Reports showed that the attacker could have gone on and even steal more than $1 billion of stablecoins and also tokenized bitcoin deposits in the protocol but chose against doing that for an unknown reason so far. The attack highlighted how flash loans can be used in exploiting economic vulnerabilities in the Defi protocols and pools to tune millions of dollars.
It’s unclear whether or not the attacker was inspired by the Harvest Finance attack but YFI fixed the attack vector instantly after they found a similar economic flaw within the network. as reported by Yearn.Finance developer Artem “Banteg” K, the team behind the protocol was contracted by the security researcher Wen Ding Li via the requisite security disclosure channels. Wen-Ding Li described the attack vector as a flash loan attack that could happen on YFI’s network and its TUSD vault as well. The core product is its Vaults which operates strategies that automatically yield farm with the deposited token in the vaults:
“Having established contact, Wen-Ding discloses that he has an initial proof of concept of a flash loan attack that can be mounted on the TUSD vault, resulting in an 18% loss to users, with the attacker being able to walk away with 650k TUSD.”
The attack vector was similar to the one used in Harvest Finance but Yearn.Finance didn’t account for slippage within Curve when depositing, which allowed them to manipulate the price of stablecoins on Curve as Banteg explained further:
“Combined, this meant that an attacker could crunch the DAI supply in the Curve’s y pool, and profit from the imbalance caused as outlined below.”
A novel flash loan attack vector has been discovered by @xu3kev and was promptly mitigated by the Yearn's security team.
Read the disclosure here:https://t.co/BiLjUoCrBp
— banteg (@bantg) October 31, 2020
The exploit was patched out and the Vault is no longer vulnerable. The vaults for DAI, GUSD, were also vulnerable to the same vector of attack but the proper measures were in place in order to avoid this from happening. The vector came shortly after another was patched and the developers even announced another patching of vulnerability that could have put funds of the yDai, yTUSD and yUSD vaults at risk.
DC Forecasts is a leader in many crypto news categories, striving for the highest journalistic standards and abiding by a strict set of editorial policies. If you are interested to offer your expertise or contribute to our news website, feel free to contact us at [email protected]
Discussion about this post