Tether announced via social media that they have frozen the $1.7 million stolen as part of the Yearn Finance hack.
Tether has frozen 1.7M USDt that has been stolen as part of the hack of Yearn DAI v1 vault.
More information can be found here⬇️https://t.co/yLpjBQ9xrw
— Tether (@Tether_to) February 5, 2021
Popular decentralized finance (DeFi) project Yearn Finance has fallen victim to a flash loan attack.
Yearn.Finance confirmed on social media on Thursday that one of its pools of funds was breached, resulting in a loss of $11 million.
Yearn. Finance said that the DAI v1 vault was exploited. And protocol managed to mitigate the attack.
We have noticed the v1 yDAI vault has suffered an exploit. The exploit has been mitigated. Full report to follow.
— yearn.finance (@iearnfinance) February 4, 2021
A core developer with Yearn.Finance shared more details about the exploit, revealing that the attacker got away with $2.8 million even though the pool lost a total of $11 million.
Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate. pic.twitter.com/1RWYyu0d5m
— banteg (@bantg) February 4, 2021
After containing the attack, the protocol is now investigating the exploit and has suspended all deposits into V1 DAI, USDC, USDT, and TUSD as a safety measure.
Flash loan attack
The hacker got away with 513,000 DAI, $1.7 million in Tether (USDT), and the remaining $506K in CRV.
Stani Kulechov, the founder of DeFi liquidity protocol Aave, explained that the attacker completed the “complex exploit with over 160 nested transactions” across several DeFi platforms and paid $5K in gas fees for the breach.
A simplistic description of the breach shows that the attacker flash-loaned 116K ETH from dYdX and 99K Ether from Aave V2. The attacker proceeded to borrow 134 million USDC and 36 million DAI using Ether as collateral on Compound and then withdrew 165 million USDT from the 3crv Curve pool.
The entire process described above was repeated five times.
Furthermore, the attacker deposited 93 million DAI to yDAI vault and added 165 million USDT to the 3crv pool. The hacker withdrew 92 million DAI from the yDAI vault and 165 million USDT from the 3crv pool.
The attacker withdrew 39 million DAI and 134 million USDC instead of Tether. Then repaid Compound debts and flash loans.
The hack seems to have affected Yearn Finance governance token as YFI plunged from $34,600 to a low of $30,256 with an hour.
However, the governance token is on a recovery path as it is trading above $32,300 at the time of writing.
According to DeFi Pulse, Yearn Finance’s total value locked has remained generally stable and dropped 3% in the last 24 hours to a current value of $490.4 million.
This story has been updated.