SlowMist: A brief analysis of yearn finance being hacked

On February 5, 2021, according to the intelligence of the SlowMist Zone, the DAI strategy pool of the well-known chain machine gun pool yearn finance was attacked. The SlowMist security team immediately followed up the analysis. The following is a brief analysis of SlowMist:

1. The attacker first borrowed a large amount of ETH from dYdX and AAVE using flash loans

2. The attacker uses the ETH loaned from step 1 to loan DAI and USDC in Compound

3. The attacker deposits all USDC and most of the DAI in step 2 into the Curve DAI/USDC/USDT pool. At this time, due to the huge liquidity deposited by the attacker, he has actually controlled the Curve DAI/USDC/USDT Most liquidity

4. The attacker withdraws a certain amount of USDT from the Curve pool, which makes the ratio of DAI/USDT/USDC imbalance and depreciates DAI/ (USDT&USDC)

5. In the third step, the attacker recharges the remaining DAI into the year DAI strategy pool, and then calls the earn function of the year DAI strategy pool to transfer the recharged DAI to the Curve DAI/USDT/USDC pool at an unbalanced ratio, and at the same time DAI strategy pool will receive a certain amount of 3CRV tokens

6. The attacker re-deposits the USDT removed in step 4 into the Curve DAI/USDT/USDC pool to restore the ratio of DAI/USDT/USDC

7. The attacker triggers the withdraw function of the year DAI strategy pool. Since the year DAI strategy pool is stored in an unbalanced ratio, the normal ratio is now used for withdrawal. The proportion of DAI in the pool has increased, resulting in the same number of 3CRV generations. The amount of DAI that can be retrieved by the coin decreases. This part of the less retrieved tokens remains in the Curve DAI/USDC/USDT pool

8. As the attacker already holds most of the liquidity in the Curve DAI/USDC/USDT pool in step 3, most of the DAI that the yearn DAI strategy pool failed to retrieve will be allocated to the attacker

9. Repeat steps 3–8 above 5 times, and return the flash loan to complete the profit.

Reference attack transaction:

https://etherscan.io/tx/0xb094d168dd90fcd0946016b19494a966d3d2c348f57b890410c51425d89166e8

About us

SlowMist Technology is a company focused on blockchain ecosystem security. It has served many top or well-known projects around the world through “the security solution that integrated the threat discovery and threat defense while tailored to local conditions” and has nearly a thousand commercial customers. SlowMist’s security solutions include security audit, threat intelligence (BTI), bug bounty, defense deployment, security consultant, and other services. SlowMist is equipped with cryptocurrency anti-money laundering (AML), false top-up scanner, vulnerability scanner, and vulnerability monitoring (Vulpush), hacked project archives (SlowMist Hacked), smart contract firewall (FireWall.X), Safe Staking and other SAAS security products. It has been widely concerned and recognized by the industry.

Focuses on Blockchain Ecosystem Security, has served Huobi/OKEx/Binance/imToken, nearly a thousand commercial customers in total.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store