According to a Twitter thread on Friday highlighting the Decentralized Financial Protocol’s method of preventing flash credit exploits, Value DeFi appears to have been the victim of a $ 6 million flash credit exploit.
At about 10:45 am EST, a user took out a loan of 80,000 ETH (over $ 36 million) from the Aave loan log. Aave developer Emilio Frangella immediately drew attention to the loan:
80,000 Eth Flashloan on @AaveAave https://t.co/ngnHIoNKpi
– Emilio Frangella (@ The3D_) November 14, 2020
According to Emiliano Bonassi, a self-described Whitehat hacker and co-founder of DeFi Italy, the attacker received an additional $ 116 million Flash loan in DAI from Uniswap.
According to Bonassi, the attacker traded the ETH borrowed from Flash for stablecoins, deposited part of the Flash borrowed DAI in Value DeFi’s multi-stablecoin vault, and then performed a series of stablecoin swaps between USDT, USDC, and DAI to take advantage of the prices Used by the Value DeFi Vault’s withdrawal method.
This is the most complex exploit I’ve ever seen. 2 FLASHLOANS were used, one with @AaveAave (80k ETH) and one with Flashswap with @UniswapProtocol (116M DAI).
In the picture the steps! pic.twitter.com/nTm2SEgsur
– Emiliano Bonassi | emiliano.eth (@emilianobonassi) November 14, 2020
In an interview with Cointelegraph, Bonassi said that while conceptually similar to the most recent attack on Harvest Finance, it was one of the most complex exploits he’d seen, and “one of the very first times” an attacker used two flash loans at once .
At 11:05 a.m., a statement on the Community Discord confirmed the exploit:
We are aware of the current situation with the MultiStables safe. Please give us some time to review. All other safes and pools function normally.
Shortly after the exploit, the attacker conducted an Ethereum transaction that appeared to mock the Value DeFi protocol with a message to the protocol’s deployer address:
“Do you really know Flashloan?”
The attacker paid ETH $ 0.31 from its profits to send the message.
At 12:12 p.m., in a statement on Twitter, Minutes said they were preparing a postmortem for the exploit, resulting in a loss of $ 6 million to users:
The MultiStables vault was the subject of a complex attack that resulted in a net loss of $ 6 million. https://t.co/dnFRa5yPBJ
We are currently working on a post mortem and are looking for ways to lessen the impact on our users.
– Value DeFi Protocol (@value_defi) November 14, 2020
Since the attack, the value of the $ VALUE token has dropped 25%, from 2.73 to 2.01 at the time of going to press.
This exploit is only the last in a troubling week across the DeFi area that also saw the Acropolis Protocol attacked. In a tweet, Aave’s Stani Kulechov signaled that the exploit is a sign of the expansion of attack vectors:
“Building a resilient DeFi is becoming increasingly difficult.”
This article has been updated to include additional information