The Value DeFi protocol suffers from a $ 6 million flash credit exploit


Related articles

According to a Twitter thread on Friday highlighting the Decentralized Financial Protocol’s method of preventing flash credit exploits, Value DeFi appears to have been the victim of a $ 6 million flash credit exploit.

At about 10:45 am EST, a user took out a loan of 80,000 ETH (over $ 36 million) from the Aave loan log. Aave developer Emilio Frangella immediately drew attention to the loan:

According to Emiliano Bonassi, a self-described Whitehat hacker and co-founder of DeFi Italy, the attacker received an additional $ 116 million Flash loan in DAI from Uniswap.

According to Bonassi, the attacker traded the ETH borrowed from Flash for stablecoins, deposited part of the Flash borrowed DAI in Value DeFi’s multi-stablecoin vault, and then performed a series of stablecoin swaps between USDT, USDC, and DAI to take advantage of the prices Used by the Value DeFi Vault’s withdrawal method.

In an interview with Cointelegraph, Bonassi said that while conceptually similar to the most recent attack on Harvest Finance, it was one of the most complex exploits he’d seen, and “one of the very first times” an attacker used two flash loans at once .

At 11:05 a.m., a statement on the Community Discord confirmed the exploit:

We are aware of the current situation with the MultiStables safe. Please give us some time to review. All other safes and pools function normally.

Shortly after the exploit, the attacker conducted an Ethereum transaction that appeared to mock the Value DeFi protocol with a message to the protocol’s deployer address:

“Do you really know Flashloan?”

The attacker paid ETH $ 0.31 from its profits to send the message.

At 12:12 p.m., in a statement on Twitter, Minutes said they were preparing a postmortem for the exploit, resulting in a loss of $ 6 million to users:

Since the attack, the value of the $ VALUE token has dropped 25%, from 2.73 to 2.01 at the time of going to press.

This exploit is only the last in a troubling week across the DeFi area that also saw the Acropolis Protocol attacked. In a tweet, Aave’s Stani Kulechov signaled that the exploit is a sign of the expansion of attack vectors:

“Building a resilient DeFi is becoming increasingly difficult.”

This article has been updated to include additional information