Yearn.finance (YFI) rapidly fixes "attack vector" similar to one used on $1b protocol Harvest

cryptoslate.com 2020-11-03 01:00
Reading time: ~3 m

Harvest Finance, what used to be a $1 billion yield farming protocol on Ethereum, underwent a brutal attack last week that wiped approximately $30 million from user accounts.

The pseudonymous attacker leveraged a flash loan, along with a series of manipulative transactions between Curve, Uniswap, and Harvest, that allowed them to drain millions of dollars worth of stablecoin from Harvest’s pools.

Reports indicate that the attacker could have kept on going and withdrawn close to $1 billion of stablecoin and tokenized Bitcoin deposits in the protocol but opted against doing so for an unexplained reason.

This attack highlighted how flash loans can be used to exploit economic vulnerabilities within DeFi protocols and pool to the tune of millions of dollars.

Whether it’s unclear whether or not he was inspired by the Harvest Finance attack, a security researcher in the space found a similar economic flaw within Yearn.finance, the original yield aggregator. Fortunately, instead of exploiting this flaw, he reported it to the Yearn.finance team.

Yearn.finance developers rapidly fix big

As reported by lead Yearn.finance developer Artem “Banteg” K, on Oct. 29 the team behind the protocol was contacted by security researcher Wen-Ding Li through the requisite security disclosure channels.

Wen-Ding Li described a potential attack vector of a flash loan attack that could take place on Yearn.finance’s TUSD Vault. Yearn.finance’s core product is its Vaults, which operate strategies that automatically yield farm with the deposited token in each Vault.

“Having established contact, Wen-Ding discloses that he has an initial proof of concept of a flash loan attack that can be mounted on the TUSD vault, resulting in an 18% loss to users, with the attacker being able to walk away with 650k TUSD.”

A novel flash loan attack vector has been discovered by @xu3kev and was promptly mitigated by the Yearn's security team.

Read the disclosure here:https://t.co/BiLjUoCrBp

— banteg (@bantg) October 31, 2020

The theoretical attack vector was similar to the Harvest one in that this Yearn.finance Vault did not properly account for slippage within Curve when depositing and entering, allowing them to manipulate the price of stablecoins on Curve to their advantage.

As Banteg explained further:

“Combined, this meant that an attacker could crunch the DAI supply in the Curve’s y pool, and profit from the imbalance caused as outlined below.”

Fortunately, the exploit was quickly patched and the Vault is no longer vulnerable.

Purportedly, Yearn.finance’s Vaults for DAI and GUSD were vulnerable to the same vector of attack but the proper measures were in place to avoid this from transpiring.

This attack vector comes shortly after another was patched. Announced at the end of September, developers patched a “vulnerability [that] could have put funds of the yDAI, yTUSD and yUSD vaults at risk. “