Curve liquidity providers see $3M windfall from $11M Yearn.finance exploit

DeFi protocol Yearn Finance has reported that its V1 yDAI vault was exploited by a hacker to the tune of $11 million on Feb. 5. However, the hacker failed to reap the lion’s share of the heist, with Curve liquidity providers making more from the attack than its mastermind.

While the vault lost $11 million in total, Yearn developer “Banteg” tweeted that the hacker had only been able to profit to the tune of $2.8 million. The team has suspended all deposits to its V1 DAI, USDC, USDT, and TUSD amid an ongoing investigation.

Yearn DAI v1 vault got exploited, the attacker got away with $2.8m, the vault lost $11m. Deposits into strategies disabled for v1 DAI, TUSD, USDC, USDT vaults while we investigate. pic.twitter.com/1RWYyu0d5m

— banteg (@bantg) February 4, 2021

Cointelegraph reached out to the developer for comments regarding the attack, but Banteg indicated the team does not wish to make further comments on the incident until their investigations into the exploit have been completed.

Banteg did share an analysis of the incident suggesting the hacker had been able to steal 513,000 DAI and $1.7 million USDT, with the remainder of their stash taking the form of CRV tokens.

Stani Kulechov, the founder of flash-loan protocol Aave, tweeted that the attack comprised a complex exploit involving more than 160 transactions across multiple DeFi platforms that spent more than $5,000 in gas fees.

Complex exploit with over 160 nested transactions transactions and 8,6 mm gas used (around 75% of the block) resulted to 2.7 mm USD loss https://t.co/WdqMGTuBQF https://t.co/MoaZIfGKGa

— stani.eth v2 is live (@StaniKulechov) February 4, 2021

VC investor Julien Thevenard noted that more than $3 million of the funds stolen from the vault had been received by liquidity providers on DeFi lending platform Curve. Banteg indicated to Cointelegraph that Thevenard’s analysis is accurate.

In this exploit, the arber got away with $2.8M and @CurveFinance stakers received over $3M ... https://t.co/TV7u2VM4BU pic.twitter.com/NgyIyjpbwC

— Julien Thevenard (@JulienThevenard) February 4, 2021

News of the exploit appears to have driven a 15% crash in the price of Yearn Finance’s governance token in less than two hours with YFI plunging from $35,000 to a local low of $29,600. YFI last changed hands for $31,070 at the time of writing.

Despite the crash, Yearn’s total value locked has remained relatively steady, with its TVL falling just 4% from $526.5 million to $507.2 million, according to DeFi Pulse.

The Feb. 4 attack is not the first to target a project from Yearn lead developer Andre Cronje, with a hacker draining $15 million from Eminence — an unfinished project that Cronje’s followers rushed to lock funds in — after the developer went to bed one night in September 2020.

​​Cream Finance DeFi platform loses $19M in a flash loan hack   Aug. 30, 2021
‘DeFi done right’: Layer-one protocol launches mainnet   July 29, 2021
Yearn.Finance puts expanded treasury to use by repaying victims of $11M hack   Feb. 9, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'   Feb. 3, 2022
Tornado Cash says it's using Chainalysis oracles to block access from OFAC sanctioned addresses   April 15, 2022