Value DeFi loses $ 6 million in “flash loan exploit”

Value DeFi is the next DeFi project to fall victim to a serious attack.

The DeFi project Value DeFi fell victim to a so-called “flash loan exploit” , which caused damage of almost 6 million US dollars

The attacker in question used two “flash loans” from other DeFi projects in order to use them to use the exchange rate differences at Value DeFi to their own advantage. So he just found a “gap in the system” and cannibalized it or “exploited” it.

Explanation: Flash loans are crypto loans that are approved without the borrower having to deposit a corresponding deposit. This is possible because the respective loans are literally repaid “in a flash”, because they still have to be paid within the same blockchain transaction.

At 10:45 a.m. (EST) a crypto user had such a flash loan of 80,000 ETH (more than 36 million US dollars) from the Aave project paid out on Friday. Aave developer Emilio Frangella noticed this unusual occurrence and accordingly pointed it out on Twitter:

Emiliano Bonassi, a self-proclaimed Whitehat hacker and co-founder of DeFi Italy, then reported that the attacker had withdrawn a flash loan in the form of the stablecoin DAI from the DeFi project Uniswap, which in turn corresponded to the equivalent of 116 million US dollars .

As Bonassi further noted, the attacker exchanged the ETH borrowed from Aave for stablecoin funds, then deposited part of the DAI received from Uniswap into Value DeFi’s multi-stablecoin vault, and then made several exchanges between the stablecoins USDT, USDC and DAI carried out in order to “exploit” the differences in the exchange rate within Value DeFi.

In an interview with Cointelegraph, Bonassi explains that the attack was conceptually similar to the most recent attack on the DeFi project Harvest Finance , but that the action against Value DeFi is the most complex exploit he has seen so far. In addition, it would have been “the first time” that an attacker used two flash loans at the same time.

A little later, Value DeFi admitted the attack in the company’s own Discord server:

“We are aware of the current processes in the MultiStables Vault. Please give us time so that we can examine it carefully. All other vaults and pools run normally. ”

Shortly after the exploit was over, the attacker sent an Ethereum transaction to the Value DeFi address , which he used to mock the project’s operators. So he asked sarcastically:

“Do you already know what flash loans are?”
The attacker only paid $ 0.31 in ETH with his transaction, which is further evidence that the news was all about scorn and ridicule.

16. November 2020