An attacker has managed to walk away with $2.8 million after exploiting a yearn.finance DAI vault.
“Banteg”—a core developer on the DeFi protocol whose Twitter bio says they are “ahead of the curve”—confirmed that the vault ended up losing $11 million.
He went on to sow confusion by saying that deposits had been disabled while an investigation took place… and later confirmed that this isn’t possible given how the ecosystem is decentralized.
At the time of publishing, yearn.finance founder Andre Cronje was yet to address the exploit on his own Twitter page.
The exploit led to a rather nasty fall in the value of YFI, the protocol’s governance token. It has been trading at about $34,700 before the exploit became public knowledge, and subsequently tumbled to the low $30,000s.
It’s believed that an AAVE flash loan was used by the hacker, prompting yearn.finance users on Discord to say “it’s stupid that’s allowed.”
What remains to be seen is whether affected users will be compensated.
There will likely be red faces over at yearn.finance, given how the vault that was targeted had been switched to a new investment strategy in recent weeks.
A worrying trend
The yearn.finance drama came as DeFi tokens enjoyed something of a renaissance, with governance tokens linked to Aave, Maker and Compound all hitting records after securing double-digit gains over the past 24 hours.
All of this comes as blockchain intelligence firms such as CipherTrace warn that there was a sharp rise in the number of exploits targeting DeFi protocols—a figure that had been “virtually negligible” before 2020.
As reported by Modern Consensus, CipherTrace said there were “dozens of DeFi-related hacks and scams” last year—with the company concluding that decentralized finance “is the next major threat vector for fraud and money laundering.”
Nearly 99% of all 2020’s crypto fraud volume originated from DeFi projects carrying out “rug pulls” and exit scams on their users and investors.