CertiK: Yearn.Finance has a shocking vulnerability, and DeFi has been hit again. This article will take you to find out the whole story

avatar
CertiK
4 years ago
This article is approximately 278 words,and reading the entire article takes about 1 minutes
On February 5th, Beijing time, the CertiK security technology team discovered an attack on the DeFi project Yearn.Finance. The total loss of the attack was as high as about 71 million RMB, and the hacker gained about 18 million RMB from it.
CertiK: Yearn.Finance has a shocking vulnerability, and DeFi has been hit again. This article will take you to find out the whole story

On February 5th, according to DeBank data, the real lock-up volume of DeFi exceeded 47 billion U.S. dollars, a record high. At the time of writing this article, it was 47.83 billion U.S. dollars, equivalent to approximately 309.5 billion yuan.

CertiK: Yearn.Finance has a shocking vulnerability, and DeFi has been hit again. This article will take you to find out the whole story

2020 is known as the first year of DeFi. DeFi has achieved a historic explosion driven by the liquidity mining pioneered by Compound, but its security risks remain high.
In the early hours of February 5th, Beijing time, the CertiK security technology team discovered an attack on the DeFi project Yearn.Finance. The total loss of the attack was as high as 71 million RMB, and the hacker gained about 18 million RMB from it.
image description
CertiK: Yearn.Finance has a shocking vulnerability, and DeFi has been hit again. This article will take you to find out the whole story

Screenshot of attackers profits

The attack included a total of 11 profit-making transactions by exploiting vulnerabilities and 3 conversion token transactions. The transaction list is as follows:

CertiK: Yearn.Finance has a shocking vulnerability, and DeFi has been hit again. This article will take you to find out the whole story

Except for the 3 token conversion transactions, the remaining 11 profit-making transactions all targeted the same vulnerability and used the same attack method to complete the profit.
Specific steps are as follows:
CertiK: Yearn.Finance has a shocking vulnerability, and DeFi has been hit again. This article will take you to find out the whole story
Specific steps are as follows:

  • Use flash loans to raise the initial capital needed for the attack.

  • Using the loopholes in the Yearn.Finance contract, repeatedly deposit and withdraw DAI and USDT from 3crv in order to obtain more 3Crv tokens. These tokens were converted into USDT and DAI stablecoins in the subsequent 3 conversion token transactions. After completing 5 repeated DAI and USDT deposit and withdrawal operations from 3crv, repay the flash loan.

  • Summarize

Summarize

Interactions in the encrypted world are often accompanied by certain risks, and investing in safe projects will receive longer-term returns.

And high returns must be accompanied by high risks. The outbreak of this vulnerability is also a warning in the DeFi field.

Original article, author:CertiK。Reprint/Content Collaboration/For Reporting, Please Contact report@odaily.email;Illegal reprinting must be punished by law.

ODAILY reminds readers to establish correct monetary and investment concepts, rationally view blockchain, and effectively improve risk awareness; We can actively report and report any illegal or criminal clues discovered to relevant departments.

Safety
invest
DeFi
CertiK

CertiK

See More
Recommended Reading
Editor’s Picks
twitter.png
discord.png
telegram.png Group
telegram.png Channel
weibo.png
Github.png