en
Back to the list

Yearn.Finance (YFI) DeFi Was Vulnerable to Flash Loan Attack; Are Funds SAFU?

source-logo  u.today  + 1 more 12 February 2022 16:50, UTC

Banteg (@bantg), a core developer of Yearn.Finance (YFI) DeFi ecosystem, shares the details of hypothetical attack against the elements of its protocol that were unveiled by a white-hat hacker.

USDT at discount, maximum bounty to attacker

As per the tweets by Banteg, on Jan.30 2022, a white-hat hacker reported the scenario of an attack against SingleSidedBalancer strategy, an element of Yearn.Finance's yield farming toolkit.

Yearn has paid a $200,000 bounty to a whitehat who has responsibly disclosed a vulnerability via @immunefi.

Read the vulnerability disclosurehttps://t.co/5rTpkCg7IJ

Learn about our security bounty programhttps://t.co/F3VAdJzyeX

— banteg (@bantg) February 11, 2022

SingleSidedBalancer strategy (or SSB) is designed to allow DeFi enthusiasts to farm Balancer's native currency BAL providing single-asset liquidity. SSBs are active on Ethereum (ETH) and Fantom (FTM) blockchains.

The attack design was used to allow hackers to imbalance the Balancer pool and obtain USDT at an inflated price as only SSB strategy on yvUSDT was found to be profitably exploitable.

Through a series of flash loans with USDC and DAI, an attacker could drain Yearn.Finance's liquidity pool for more than $41 million in equivalent.

Another day, another jaw-dropping bounty reward?

As per the detailed explanation shared in Yearn.Finance's security repository on GitHub, the vulnerability was patched in 25 minutes as all exploitable elements were disabled; no funds are at risk now.

By Feb.11, all vulnerable strategies were updated by Yearn.Finance and Balancer. As the possible vulnerability is of a 'Critical' category, on Feb. 2 the white-hat attacker was rewarded with a 200,000 USDC bounty bonus.

As covered by U.Today previously, on Feb.10, the team of the Optimism scaling solution for Ethereum (ETH) paid $2 mln to Mr. Jay Freeman who unveiled the flaw in Optimism smart contracts that would have allowed minting an infinite amount of Ether in every wallet.

Similar bounty reward was transferred to a potential Polygon (MATIC) attacker in October, 2021.

u.today

Similar news (1)
Add similar news

Add similar news

Send us a link to a similar news story on another source.

Why do we need it

The citation rate of a news item indicates its importance and significance. The number of mentions in different sources allows you to look at an event from different angles.

Please help us improve the application. If we have published news and you have found a similar one in another source, send us a link to it.