Skip to content

Latest commit

 

History

History
44 lines (26 loc) · 2.83 KB

2021-02-05-Yearn.md

File metadata and controls

44 lines (26 loc) · 2.83 KB
Raw

Yearn Exploit

Yu Pan 2021-2-5.

Background

Yearn Finance is a suite of products in Decentralized Finance (DeFi) that provides lending aggregation, yield generation, and insurance on the Ethereum blockchain. Yearn Vaults, in essence, are pools of funds with an associated strategy for maximising returns on the asset in the vault. Vault strategies are more active than just lending out coins like in the standard Yearn protocol. In fact, most vault strategies can do multiple things to maximise the returns.

The attacked was on Yearn's v1 yDAI vault has led to 11m DAI of vault deposits being lost.

Technical description

At a high level, the exploiter was able to profit through the following steps:

  1. Debalance the exchange rate between stablecoins in Curve's 3CRV pool.
  2. Make the yDAI vault deposit into the pool at an unfavorable exchange rate.
  3. Reverse the imbalance caused in step 1.

This pattern was repeated in a series of 11 transactions executed over 38 minutes before being mitigated yearn writeup.

Using one of the transactions[4] as an example.

  1. Mint 3crv shares by depositing 134m USDC and 36m DAI to Curve 3pool.
  2. Withdraw 165m USDT from Curve 3pool. The pool is now at an imbalance, having significantly less USDT in proportion to USDC and DAI.
  3. Repeat the following step several times, for increasingly smaller amounts:
    1. Deposit DAI into yDAI vault. This causes the vault to deposit DAI into the imbalanced 3pool, at an unfavorable exchange rate.
    2. Deposit 165m USDT into the Curve 3pool again, partially restoring the imbalance in the pool.
    3. Withdraw DAI from yDAI vault. The 3pool returns only 92.3m DAI, 0.7m DAI of the yVault's funds remain in the 3pool.
    4. Withdraw 165m USDT from the 3pool to cause the imbalance again.
  4. In the final repetition, instead of withdrawing USDT, redeem the initial 3crv shares and withdraw 134m USDC and 39.4m DAI, i.e. 2.9m DAI more than what was deposited originally.

Great simulation of the attack in python

Timeline

  • Attack started at eb-04-2021 09:12:40 PM +UTC with a series transactions adding and removing liquidity contract
  • Apparently yearn was able to called together their multisig within 11 minutes and stop the exploit whule it's underway.

Conclusion

As mentioned in their writeup up the contributing factor was that their slippage protection was at 1% and that their withdrawal fee was at 0%(for promo?). We do have a pretty high withdrawal fee and a cap on the exchange rates, but might want to review ways to create token imbalances.