Two-level inversion? Curve is reaping the benefits of hacking yDAI vaults.

On February 5th, Beijing time, Yearn Finance tweeted that the v1 yDAI vault was attacked.

Yearn Finance core developer @banteg said: "The vault was exploited, the attacker gained $2.8M, and the vault lost $11M. Policy deposits for v1 DAI, TUSD, USDC, USDT vaults will be disabled during our investigation. "

Through tracking and analysis,PeckShield found that this attack is similar to the flash loan attack vulnerability on Yearn.finance's TUSD Vault previously disclosed by security researcher Wen-Ding Li (李文鼎).

First, the attacker lends flash loans from dYdX and AaveV2;

Subsequently, the attacker used the borrowed assets to cause the token imbalance in 3pool through deposit and withdrawal operations;

Next, the attacker deposits DAI in the yDAI vault, triggering continued investment into the affected strategic investment, which worsens the state of unbalanced transactions in 3pool, and the attacker immediately benefits from the deteriorated unbalanced state;

The attacker repeated the above steps and avoided triggering the 0.5% slippage control, and finally repaid the initial flash loan, resulting in a loss of $11 million in the yDAI vault.

It is worth noting that the affected strategy has slippage control implemented, but currently has no withdrawal fee (originally 0.5% withdrawal fee), which makes the exploit profitable. In order to avoid triggering slippage control, the attacker repeatedly used the above steps to ensure the success of the attack. Yearn Finance disabled the vault policy immediately after the attack.

Do you want to curb the "invisible hand" of DeFi lending volatility? Yearn Finance vaults are not enough insurance.

At the end of September 2020, the developers of Yearn Finance disclosed that they patched a vulnerability that could put funds in yDAI, yTUSD, and yUSD vaults at risk. After a similar attack vulnerability appeared in the flash loan that appeared on TUSD Vault in November, fortunately, it was repaired quickly. After many tinkerings, it still hasn't escaped a blow.

PeckShield Security Company has repeatedly reminded that the project party must not only maximize the code, but also prevent problems before they happen. Once a DeFi attack occurs, it must self-check the code and check for gaps in time.

As of now, Yearn Finance core developer banteg said that hackers have stolen 513,000 DAI and 1.7 million USDT, and the rest exists in the form of CRV tokens.

Aave founder Stani Kulechov said that the attack contained a complex vulnerability involving more than 160 transactions on multiple DeFi platforms, costing more than $5,000 in Gas fees.

VC investor Julien Thevenard noted that more than $3 million of the funds stolen from the vault were received by liquidity providers on Curve, a DeFi lending platform.