Value DeFi protocol suffers $6 million flash loan exploit

Published at: Nov. 14, 2020

Following a Twitter thread on Friday that highlighted the decentralized finance protocol’s flash loan exploit prevention methodology, Value DeFi appears to have been the victim of a $6 million flash loan exploit. 

At roughly 10:45 AM EST, a user took out a flashloan of 80,000 ETH (over $36 million) from lending protocol Aave. Aave developer Emilio Frangella immediately called attention to the loan:

80.000 eth flashloan on @AaveAave https://t.co/ngnHIoNKpi

— Emilio Frangella (@The3D_) November 14, 2020

According to Emiliano Bonassi, a self-described whitehat hacker and the co-founder of DeFi Italy, the attacker also sourced an additional $116 million flash loan in DAI from Uniswap.

Bonassi says that the attacker swapped the flash-loaned ETH for stablecoins, deposited part of the flash-loaned DAI into Value DeFi's multi-stablecoin vault, and then conducted a series of stablecoin swaps between USDT, USDC, and DAI designed to exploit the pricing used by the Value DeFi vault's withdrawal method.

This is the complex exploit I've ever seen. It used 2 FLASHLOANS, one with @AaveAave (80k ETH) and one using flashswap with @UniswapProtocol (116M DAI).In the image the steps! pic.twitter.com/nTm2SEgsur

— Emiliano Bonassi | emiliano.eth (@emilianobonassi) November 14, 2020

 In an interview with Cointelegraph, Bonassi said that while it was conceptually similar to the recent attack on Harvest Finance, it was among the most complex exploits he'd seen, and "one of the very first times" an attacker has utilized two flash loans at once.

At 11:05, a statement in the community Discord acknowledged the exploit: 

We are aware of the current situation with the MultiStables vault. Please give us a bit time to check. Every other vaults and pools are working normally.

Shortly after the exploit, the attacker followed up with an Ethereum transaction that seemed to taunt the Value DeFi protocol with a message sent to the protocol’s deployer address:

"do you really know flashloan?"

The attacker paid $.31 in ETH from his profits to send the message.

At 12:12, the protocol said in a statement on Twitter that they were preparing a postmortem on the exploit, which they said led to a loss of $6 million for users: 

The MultiStables vault was the subject of a complex attack that resulted in a net loss of $6M. https://t.co/dnFRa5yPBJWe are currently working on a postmortem and are exploring ways to mitigate the impact on our users.

— Value DeFi Protocol (@value_defi) November 14, 2020

Since the attack, the value of the $VALUE token has plunged over 25%, from 2.73 to 2.01 at press time. 

This exploit is just the latest in what has been a troubling week across the DeFi space that also featured an attack on the Akropolis protocol. In a tweet Stani Kulechov of Aave signaled that the exploit is a sign of expanding attack vectors:

“Building resilient DeFi is becoming difficult.”

This article has been updated to include additional information

Tags
Related Posts
Warp Finance adds Chainlink oracles to protect against flash loans
Warp Finance, a DeFi lending protocol that suffered an $8 million flash loan exploit shortly after release, is now gearing up for a relaunch that will include an integration with oracles by Chainlink. The inclusion of Chainlink oracles reportedly serves as protection against similar exploits. Flash loan exploits use a feature that allows borrowing an unlimited amount of funds, as long as it is also returned within the same Ethereum block. According to the team, security experts determined that the root cause of the exploit was an exploitable price oracle. The issue seems to have been compounded by Warp Finance’s …
Technology / Jan. 8, 2021
Hacker tries to exploit bridge protocol, fails miserably: Finance Redefined
Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you significant developments over the last week. This past week, there were some major developments in the run-up to the upcoming Ethereum Merge slated for Sept. 15. Bitfinex became the latest crypto exchange to throw its support behind the chain split token. While DeFi bridge hacks have become a norm this year, developers behind Rainbow Bridge managed to foil an exploit attempt within seconds, leading to the hacker losing their safety deposit. The Tornado Cash developer who was arrested last week …
Ethereum / Aug. 27, 2022
No more wrapped Bitcoin? This DeFi platform brings native BTC lending to Ethereum
Until recently, the majority of Bitcoin (BTC) lending took place on centralized platforms. This was predominantly because of the cumbersome process involved in tokenizing Bitcoin into a wrapped ERC-20 version before it could be deposited on the Ethereum (ETH) network. The resulting implication of this inconvenience was not just the additional transaction fees and slippage incurred but a fragmented decentralized finance (DeFi) ecosystem. Currently, only 1% of Bitcoin is circulating on Ethereum. BiFi is a platform that facilitates real Bitcoin lending on DeFi by connecting the Bitcoin and Ethereum networks directly. The platform describes itself as “like Compound or Aave, …
Blockchain / Oct. 1, 2021
Finance Redefined: You get hacked, they get hacked, everyone gets hacked, Nov. 11–18
If people actually used insurance against hacks, this week would definitely have bankrupted a great many insurers. In the span of one week, a total of four flash loan-enabled exploits were registered (one actually happened the week before, but wasn’t noticed until later). We have, in order, Cheese Bank with a $3.3 million theft, Akropolis with its $2 million loss, Value DeFi with a whopping $6 million exploit and finally Origin Protocol’s loss of $7 million. In total, the hackers stole $18.3 million, which admittedly, is not that much — less than the single October exploit of Harvest Finance. As …
Technology / Nov. 19, 2020
Aurora pays $6M bug bounty to ethical security hacker through Immunefi
On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with more than $145 million bounties available and over $45 million bounties paid out. On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH …
Blockchain / June 7, 2022