Yearn.Finance (YFI), a leading DeFi ecosystem and one of the most hyped protocols in the DeFi summer of 2020, shared the design of the attack against its architecture (now patched)
Banteg (@bantg), a core developer of Yearn.Finance (YFI) DeFi ecosystem, shares the details of hypothetical attack against the elements of its protocol that were unveiled by a white-hat hacker.
Discounted USDT, Maximum Attacker Bounty
According to tweets from Banteg, on January 30, 2022, a white hat hacker reported a scenario of an attack on the SingleSidedBalancer strategy, part of Yearn.Finance’s yield farming toolkit.
SingleSidedBalancer strategy (or SSB) is designed to allow DeFi enthusiasts to farm Balancer’s native currency BAL providing single-asset liquidity. SSBs are active on Ethereum (ETH) and Fantom (FTM) blockchains.
The attack design was used to allow hackers to unbalance the Balancer pool and obtain USDT at an inflated price, as only the SSB strategy on yvUSDT proved to be profitable.
Through a series of flash loans with USDC and DAI, an attacker could drain Yearn.Finance’s liquidity pool for more than $41 million in equivalent.
Another day, another jaw-dropping bounty?
According to the detailed explanation shared in the Yearn.Finance security repository on GitHub, the vulnerability was fixed in 25 minutes as all exploitable elements were disabled; no funds are at risk now.
By Feb.11, all vulnerable strategies were updated by Yearn.Finance and Balancer. As the possible vulnerability is of a ‘Critical’ category, on Feb. 2 the white-hat attacker was rewarded with a 200,000 USDC bounty bonus.
As previously covered by U.Today, on February 10, the Optimism scaling solution team for Ethereum (ETH) paid $2 million to Mr. Jay Freeman who exposed the flaw in smart contracts. Optimism that would have minted an infinite amount of Ether in each wallet.
Similar bounty reward was transferred to a potential Polygon (MATIC) attacker in October, 2021.
