February 5th, 2021
On February 4, 2021, banteg disclosed a hack of the Yearn DAI v1 vault. The attacker caused a loss of $11 million to the vault, and the attacker made a profit of $2.8 million.
The impact of the attack was limited by the quick response of the Yearn security team and multi-sig wallet signers. By responding within eleven minutes, the team was able to protect the remaining $24 million stored in the vault from the attacker.
Before digging into the details of the Yearn hack, it is important to understand how decentralized exchanges work. A decentralized exchange (DEX) is a smart contract-based equivalent of a traditional currency exchange. The DEX stores a collection of cryptocurrency and allows users to deposit and withdraw different types of currency.
An important concept in any currency exchange is that of the exchange rate. This sets the amount of one type of currency that a user can receive in exchange for an amount of another currency. In a traditional exchange, this value is set by the exchange (often significantly to their benefit).
On a decentralized exchange, there is no central authority to set exchange rates for cryptocurrency. Instead, the exchange rate is set based upon the laws of supply and demand. For a deposit, you’ll get a better rate if the DEX currently has a low quantity of that particular currency. A withdrawal is the exact opposite, where a particular currency is “cheaper” if the exchange has a surplus of it.
The Yearn hacker took advantage of the exchange rates within the Curve 3pool. The attack started with the attacker making some deposits and withdrawals from the pool:
The effect of these actions is that the pool has a massive amount of USDC and DAI compared to its store of USDT. This imbalance has a significant impact on the exchange rate for these currencies. Additionally, the two deposits create 3crv shares that the attacker can use later in their attack.
The attacker then took advantage of this imbalance by performing a series of steps. The following example is from this transaction:
The attacker repeats this process over multiple different iterations using decreasing amounts of DAI in steps 1 and 3. The result of this is that a significant amount of the yDAI Vault’s DAI remains in 3pool.
This remaining DAI is useful to the attacker because they minted 3crv shares in the setup phase of the attack. When redeeming these shares, the attacker is able to withdraw their original 134 million USDC and 36 million DAI plus an additional 2.9 million DAI (due to the slippage). This is the source of the profits from the attack.
This attack is another example of an attacker taking advantage of slippage to exploit a DeFi protocol. In this particular case, the attack was made possible by three factors:
This combination of factors demonstrates the complexity of DeFi protocols and the potential for multiple different factors to combine to render a system exploitable. Protecting against these types of attacks requires a comprehensive security audit that takes these kinds of factors and the interactions between them into account.