Value DeFi exploited for $6 million with 2 flash loans from Aave and Uniswap
Last Updated on 15 November 2020 by CryptoTips.eu
The DeFi sector continues to suffer from security breaches with the latest affecting Lending protocol Value DeFi. It is believed that the DeFi protocol fell victim to a flash loan exploit which resulted in the loss of $6 million.
The MultiStables vault was the subject of a complex attack that resulted in a net loss of $6M. https://t.co/dnFRa5yPBJ
— Value DeFi Protocol (@value_defi) November 14, 2020
We are currently working on a postmortem and are exploring ways to mitigate the impact on our users.
The flash loan attack on Value DeFi came after the protocol had Tweeted a now-deleted tweet that its protocol was safe from flash loan attacks. A flash loan is a feature on DeFi whereby users can borrow funds from a pool without the requirements of collateral and payback within the same transaction.
Complex Flash Loan Attack
The unknown attacker utilized a complex process to steal the funds from Value DeFi using an elaborate scheme. Firstly, he took a flash loan from popular lending protocol Aave worth around 80,000 ETH. After which he proceeded to secure $116 million worth of DAI from popular decentralized exchange UniSwap.
After concluding this process the hacker swapped the ETH from the flash loans into stablecoins before depositing part of the DAI into Value DeFi stablecoin vault.
He continued with his attack by exchanging a series of swaps involving USDC, USDT and DAI with the purpose of exploiting the pricing utilized by Value DeFi vault’s withdrawal method.
Giga arbitrage/exploit https://t.co/iP8ivD8PRl https://t.co/zP6nh0PUkS pic.twitter.com/KMPX4LeM3U
— Emiliano Bonassi | emiliano.eth (@emilianobonassi) November 14, 2020
Using this scheme the attacker was able to withdraw about $6.5 million worth of DAI from Value Defi Pool. His activities can be seen here on etherscan.
Following the success of the exploit attack, the attacker signed a transaction with the following words:
do you really know flashloan?
This was in reference to the earlier tweet from Value DeFi claiming that their platform was secure from flash loans.
Value DeFi acknowledged the exploit and revealed in a tweet what their plans are.
We have re-enabled the UI to withdraw after the recent exploit in the MultiStables Vault.
— Value DeFi Protocol (@value_defi) November 15, 2020
1) Withdrawing will receive about 28.24% of your initial deposit
2) A snapshot of anyone who was affected by the exploit will be able to claim the other 20% in $DAI from the 2 mil returned
Value Liquidity price dumps following exploit
As expected the value of Value DeFi has dipped since the attack with the protocol down 22% in the past 24 hours. Its native token Value is currently priced at $2.08 down from its initial price of $2.73 recorded before the exploit attack.
This latest attack on Value Defi caps a tumultuous few weeks for the crypto landscape which featured a recent attack on Akropolis protocol. The DeFi sector continues to be vulnerable to attacks due to its novel nature and lack of proper auditing by DeFi protocols. Earlier we saw the Eminence hack and Harvest Finance hack.