Following a Twitter thread on Friday which Underline Decentralized Financial Protocol Flash Loan Exploit Prevention Methodology, Value DeFi appears to have fallen victim to a $ 6 million flash loan exploit.
At around 10:45 a.m. EST, a user took out a flash loan of 80,000 ETH (over $ 36 million) from the Aave lending protocol. Aave developer Emilio Frangella immediately drew attention to the loan:
80,000 eth ready flash on @AaveAave https://t.co/ngnHIoNKpi
– Emilio Frangella (@ The3D_) November 14, 2020
According to Emiliano Bonassi, a self-proclaimed hacker and co-founder of DeFi Italy, the attacker also secured an additional $ 116 million DAI flash loan from Uniswap.
Bonassi says the attacker traded the flash loaned ETH for stablecoins, deposited some of the flash loaned DAI into Value DeFi’s multi-stablecoin vault, and then made a series of stablecoin exchanges between USDT, USDC. and DAI designed to leverage the price used by the Value DeFi vault withdrawal method.
In the picture the steps! pic.twitter.com/nTm2SEgsur
– Emiliano Bonassi | emiliano.eth (@emilianobonassi) November 14, 2020
In an interview with Cointelegraph, Bonassi said that although it is conceptually similar to the recent attack on Harvest Finance, it was one of the most complex exploits he has seen, and “one of the very first times “that an attacker used two flash loans. at once.
At 11:05 a.m., a statement in the Discord community acknowledged the feat:
We are aware of the current situation of the MultiStables safe. Please give us some time to check. All other chests and pools are functioning normally.
Shortly after the exploit, the attacker continued with an Ethereum transaction that appeared to taunt the Value DeFi protocol with a message sent to the address of the protocol’s deployer:
“Do you really know the flash loan? “
The attacker paid $ 0.31 in ETH from his profits to send the message.
At 12:12 p.m., Protocol said in a statement on Twitter that they were preparing a post-mortem on the exploit, which they said resulted in users losing $ 6 million:
The MultiStables vault was the subject of a complex attack that resulted in a net loss of $ 6 million. https://t.co/dnFRa5yPBJ
We are currently working on a post-mortem and are exploring ways to mitigate the impact on our users.
– Value DeFi protocol (@value_defi) November 14, 2020
Since the attack, the value of the $ VALUE token has plunged more than 25%, from 2.73 to 2.01 at the time of publication.
This feat is just the latest in what has been a troubling week in the DeFi space that also featured an attack on the Akropolis protocol. In a Tweeter Aave’s Stani Kulechov pointed out that the exploit is a sign of expansion of attack vectors:
“Building a resilient DeFi becomes difficult. “
This article has been updated to include additional information