The DeFi project Value DeFi is the victim of a so-called “flash loan exploit” become, which caused damage of almost 6 million US dollars.
The attacker in question used two “flash loans” from other DeFi projects in order to use them to use the exchange rate differences at Value DeFi to their own advantage. So he just found a “gap in the system” and cannibalized it or “exploited” it.
Explanation: Flash loans are crypto loans that are approved without the borrower having to deposit a corresponding deposit. This is possible because the respective loans are literally repaid “in a flash”, because they still have to be paid within the same blockchain transaction.
At 10:45 a.m. (EST) a crypto user had such a flash loan of 80,000 ETH (more than 36 million US dollars) paid out from the Aave project on Friday. Aave developer Emilio Frangella noticed this unusual occurrence and accordingly pointed it out on Twitter:
80.000 eth flashloan on @AaveAave https://t.co/ngnHIoNKpi
– Emilio Frangella (@ The3D_) November 14, 2020
Emiliano Bonassi, a self-proclaimed Whitehat hacker and co-founder of DeFi Italy, then reported that the attacker had withdrawn a flash loan in the form of the stablecoin DAI from the DeFi project Uniswap, which in turn was equivalent to US $ 116 million .
As Bonassi further noted, the attacker exchanged the ETH borrowed from Aave for stablecoin funds, then deposited part of the DAI received from Uniswap into Value DeFi’s multi-stablecoin vault, and then made several exchanges between the stablecoins USDT, USDC and DAI carried out in order to “exploit” the differences in the exchange rate within Value DeFi.
This is the complex exploit I’ve ever seen. It used 2 FLASHLOANS, one with @AaveAave (80k ETH) and one using flashswap with @UniswapProtocol (116M DAI).
In the image the steps! pic.twitter.com/nTm2SEgsur
– Emiliano Bonassi | emiliano.eth (@emilianobonassi) November 14, 2020
In an interview with Cointelegraph, Bonassi explains that the attack was conceptually similar to the most recent attack on the DeFi project Harvest Finance, but that the action against Value DeFi is the most complex exploit he has seen so far. In addition, it would have been “the first time” that an attacker used two flash loans at the same time.
A little later, Value DeFi admitted the attack in the company’s own Discord server:
“We are aware of the current processes in the MultiStables Vault. Please give us time so that we can examine it carefully. All other vaults and pools run normally. “
Shortly after the exploit ended, the attacker sent an Ethereum transaction to the Address from Value DeFi, with whom he mocked the project’s operators. So he asked sarcastically:
“Do you already know what flash loans are?”
The attacker only paid $ 0.31 in ETH with his transaction, which is further evidence that the news was all about scorn and ridicule.
At 12:12 p.m. (EST), the DeFi project reported on Twitter that it would publish a clear explanation of the attack. Value DeFi puts the damage to users at 6 million US dollars:
The MultiStables vault was the subject of a complex attack that resulted in a net loss of $6M. https://t.co/dnFRa5yPBJ
We are currently working on a postmortem and are exploring ways to mitigate the impact on our users.— Value DeFi Protocol (@value_defi) November 14, 2020
Since the exploit, the price of the associated cryptocurrency $ VALUE has lost 25%, dropping it from $ 2.73 to just $ 2.01.
The attack on Value DeFi is the latest chapter in one difficult week for the area of decentralized financial services (DeFi). The Akropolis DeFi project was attacked a few days ago. Stani Kulechov from the DeFi project Aave says that the Value DeFi exploit shows that there are many points of attack in DeFi projects, which makes their operation all the more difficult:
“It’s getting harder and harder to build a resilient DeFi project.”
–
