According to a Twitter thread on Friday that highlighted the method of preventing the use of flash credits of the decentralized financial protocol, Value DeFi appears to have been the victim of a $ 6 million flash loan exploitation.
At approximately 10:45 a.m. EST, a user received a flash loan of 80,000 ETH (more than USD 36 million) from the Aave loan log. Aave developer Emilio Frangella immediately drew attention to the loan:
80,000 Eth Flashloan @AaveAave https://t.co/ngnHIoNKpi
– Emilio Frangella (@ The3D_) November 14, 2020
The attacker then used the funds to launch a flash credit arbitrage attack that targeted Value DeFi’s multi-stablecoin vault. The attacker deposited funds in the vault, negotiated the funds between DAI and USDC, and received a multi-million dollar payday.
At 11:05 a.m., a statement in the Discord community confirmed the exploit:
We are aware of the current situation with the MultiStables safe. Give us some time to review. All other safes and pools function normally.
Shortly after the exploit, The attacker followed up with an Ethereum transaction that appeared to mock the Value DeFi protocol with a message sent to the protocol implementer’s address:
“Do you really know Flashloan?”
The attacker paid $ 0.31 in ETH of his income to send the message.
At 12:12 p.m., the log said in a statement on Twitter that they were preparing an audit for the exploit, causing users to lose $ 6 million:
The MultiStables vault was the subject of a complex attack that resulted in a net loss of $ 6 million. https://t.co/dnFRa5yPBJ
We are currently working on a post mortem and are looking at ways to reduce the impact on our users.
– Value DeFi Protocol (@value_defi) November 14, 2020
The MultiStables vault was the subject of a complex attack that resulted in a net loss of $ 6 million.
We are currently working on an audit and are looking for ways to reduce the impact on our users.
Since the attack, the value of the $ VALUE token has fallen by more than 25% from 2.73 to 2.01, at the end of this issue.
This exploit is only the last in a troubling week in the DeFi area that also saw the Acropolis Protocol attacked. In one TweetAave’s Stani Kulechov noted that the exploit is a sign of the expansion of attack vectors:
“Building a resilient DeFi will be difficult.”