A decentralized finance (defi) protocol that bragged about having flash loan attack prevention has been exploited for $6 million in DAI, in a flash loan attack.
Value Defi, a yield aggregating protocol, boasted of having the “highest security” in a Nov. 13 tweet that now appears to have been deleted. The protocol claimed that its technology was capable of preventing flash loan attacks.
Hardly a day later, hackers plundered Value Defi’s multi-stablecoin vault of a total of $8 million of the stablecoin DAI. The attacker returned $2 million to the protocol and pocketed $6 million — and with it left one audacious message stating, “do you really know flashloan?”
Value Defi said it suffered a “complex attack that resulted in a net loss of $6 million.”
The hacker took out a loan of 80,000 ether from the defi lending platform Aave and also borrowed an additional $116 million in DAI from Uniswap. According to Value Defi’s postmortem of the incident, the attacker swapped the ETH loan for stablecoins and deposited part of the flash-loaned DAI into the protocol’s vault.
He then made a series of stablecoin swaps involving USDT, USDC, and DAI — a technique that eventually exploits Value Defi’s vault withdrawal method. Aave developer Emiliano Bonassi exclaimed:
This is the complex exploit I’ve ever seen. It used two flashloans.
Flash loans allow users to borrow money without collateral because the lender expects the funds to be returned within one transaction block, almost immediately. Hackers have used this loophole in defi to steal millions of dollars.
In its postmortem, Value Defi said it was looking at ways to compensate affected users. It stated that users can claim 20% in DAI from the $2 million that was returned by the hackers. The protocol is also hiking transaction fees to generate income for compensation.
“We will create a compensation fund which will be funded by a combination of the dev fund, insurance fund and a portion of the fees that are currently generated by the protocol,” it explained.
The price of Value Defi’s native token, value liquidity, plunged as much as 28% on the day of the attack to $1.99 from $2.76, according to Coingecko data. At press time, the token was trading at $2.05, down 4.9% in 24 hours.
This latest exploit comes just two days after another $2 million heist at defi lending protocol Akropolis.
<Source: Bitcoin News>