Attackers Used “DeFi Protocol Yearn Finance” to Steal $11 Million in a Flash Loan Attack

DeFi, which stands for “decentralized finance,” proposes doing away with centralized financial institutions like banks by facilitating peer-to-peer lending. However, for the time being, it serves primarily as a rough-and-tumble trade arena.

DeFi financing is entirely collateral-based due to the lack of personal relationships between the parties involved. Bitcoin (BTC) and ether (the Ethereum network’s native cryptocurrency) are two examples of highly speculative digital assets.

If your asset’s value starts to fall relative to the market, the DeFi app’s underlying smart contract will force a sale at a predetermined spot price to compensate your lenders.

The DeFi ecosystem also features algorithmically conducted, permissionless crypto asset swapping on the Ethereum blockchain at decentralized exchanges (DEX).

Flash loans

Flash loans are an additional development built on top of DeFi and Ethereum, the blockchain most commonly linked to the term “programmable money.” DeFi’s Aave protocol saw the product’s initial release.

We’ve noticed that the price of a cryptocurrency varies widely among exchanges. A user can quickly make money by borrowing money, purchasing low on one market, selling high on the other, and then returning the loan with the gained profit. Since many of the markets are DEXs built on Ethereum, all of this occurs in a single on-chain transaction. All that was required of the arbitrageur was to incorporate the necessary instructions into a single “smart contract” computer program.

Attack

A hacker attempted to use the Yearn Finance protocol for DeFi in a flash loan exploit. AAVE’s “flash loan” is a type of unsecured loan that lets borrowers borrow any amount they like without pledging any assets as collateral.

The user spends the borrowed money and eventually pays back the protocol, or the exchange is nullified. Attackers who have access to collateral and a liquidity pool can launch flash loan attacks by manipulating the blockchain.

The vulnerability was first thought to affect Aave V1. Nonetheless, the authors of Aave have stressed that the protocol was not harmed by the hack, and it was simply utilized for swapping tokens to carry out the exploit. The yUSD stable coin issued by Yearn Finance was the primary target of the attack.

The following are the links to the hacker addresses:

Hacker address 1: https://etherscan.io/address/0x5bac20beef31d0eccb369a33514831ed8e9cdfe0

Hacker address 2: https://etherscan.io/address/0x16af29b7efbf019ef30aae9023a5140c012374a5

Hacker address 3: https://etherscan.io/address/0x6f4a6262d06272c8b2e00ce75e76d84b9d6f6ab8

Here are the details related to the attack:

Hacker contract address 1: https://etherscan.io/address/0x8102ae88c617deb2a5471cac90418da4ccd0579e

Hacker contract address 2: https://etherscan.io/address/0x9fcc1409b56cf235d9cdbbb86b6ad5089fa0eb0f

Attack transaction 1: https://etherscan.io/tx/0xd55e43c1602b28d4fd4667ee445d570c8f298f5401cf04e62ec329759ecda95d

Attack transaction 2: https://etherscan.io/tx/0x8db0ef33024c47200d47d8e97b0fcfc4b51de1820dfb4e911f0e3fb0a4053138

A vulnerability in the yUSDT contract was used to carry out the attack. The contract’s fulcrum was mistaking the iUSDC token for the iUSDT token, leading to an incorrect reliance on the underlying token of the pool. The hacker took advantage of this by obtaining a large number of flash loans and then exchanging them through Curve.

In this assault, the hacker minted bZxUSDC and fed it into the contract, driving up the value of the token. The hacker then caused a rebalance, which led to the redemption of bZxUSDC for a sizable quantity of USDC, bringing the value of each yUSDT to almost zero.

The hacker then sent 1 Wei USDT to the yUSDT contract, minting yUSDT at a cost of 1 Wei USDT each. To put it another way, this amounted to free minting. The hacker made a profit by trading the newly minted yUSDT through the Curve pool. After making a profit, the hacker paid back the flash loans and disappeared. The proceeds were wired to the hacker’s account.

Attempted Flash loans on Cream Finance, Alpha Homora, dYdX, and PancakeBunny

Between 2020 and 2022, attacks on Cream Finance, Alpha Homora, dYdX, and PancakeBunny, among other DeFi protocols, were not uncommon. A $19 million flash loan assault was launched against Cream Finance in an attempt to obtain Liquidity Provider tokens. Exploits involving “flash loans” have repeatedly attacked the protocol.

Using Compound and Fulcrum, an attacker who was exploiting dYdX borrowed WBTC, traded it for Uniswap, repaid the dYdX protocol, and kept the ETH as a reward.

In a flash loan assault, tokens valued at over $45 million were taken from PancakeBunny’s Bunny Protocol.