The farming protocol that once made a $ 1 billion profit on Ethereum, Harvest Finance, underwent a brutal attack last week, wiping out about $ 30 million from user accounts. The attacker capitalized on a flash loan, along with a series of manipulative transactions between Curve, Uniswap, and Harvest, allowing them to drain off millions of dollars worth of stablecoins from Harvest’s teams. This attack has highlighted how fast loans can be used to exploit economic vulnerabilities in DeFi protocols and reap millions of dollars. And most recently, Yearn.finance had a similar situation.
There is a similar economic hole in Yearn.finance
Security researcher Wen-Ding Li found a similar economic flaw in Yearn.finance. Luckily, instead of exploiting this vulnerability, he reported it to the Yearn.finance team.
As reported by developer Yearn.finance, Artem “Banteg” K, on October 29, the team behind the protocol was contacted by security researcher Wen-Ding Li through security disclosure channels.
Wen-Ding Li described a potential attack vector of a possible fast-loan attack on Yearn.finance’s TUSD Vault. The core product of Yearn.finance is Vault, which operates automated farm profit strategies with tokens deposited in each Vault.
The team said:
“Having established contact, Wen-Ding discloses that he has an initial proof of concept of a flash loan attack that can be mounted on the TUSD vault, resulting in an 18% loss to users, with the attacker being able to walk away with 650k TUSD.”
A novel flash loan attack vector has been discovered by @xu3kev and was promptly mitigated by the Yearn’s security team.
Read the disclosure here:https://t.co/BiLjUoCrBp
— banteg (@bantg) October 31, 2020
The theoretical attack vector is similar to the harvest in that this Yearn.finance Vault does not properly calculate the Curves’ slippage when sending and importing, allowing them to manipulate the price of stablecoins on the Curve to their advantage.
Banteg further explained:
“Combined, this meant that an attacker could crunch the DAI supply in the Curve’s y pool, and profit from the imbalance caused as outlined below.”
Luckily, the exploit was quickly patched, and the Vault was no longer vulnerable.
Intentionally, Yearn.finance Vault for DAI and GUSD are both vulnerable to the same attack vehicle, but appropriate measures have been taken to avoid this.
This attack vector appears as soon as another vector is patched. Announced in late September, developers patched a vulnerability that could have put funds of the yDAI, yTUSD, and yUSD vaults at risk.
- A Bullish Chart Pattern Forming Would Have A Target Of Roughly $32 If Chainlink Price Breaks To The Upside
- Audius – Spotify Competitor – Retroactively Distributed $ 8 Million In AUDIO To Musicians And Listeners
The post A security researcher in the space found a similar economic flaw Harvest Finance within Yearn.finance appeared first on AZCoin News.
5 total views, 1 views today