A decentralized finance (defi) protocol that bragged about having flash loan attack prevention has been exploited for $6 million in DAI, in a flash loan attack.
Value Defi, a yield aggregating protocol, boasted of having the â€œhighest securityâ€ in a Nov. 13 tweet that now appears to have been deleted. The protocol claimed that its technology was capable of preventing flash loan attacks.
Hardly a day later, hackers plundered Value Defiâ€™s multi-stablecoin vault of a total of $8 million of the stablecoin DAI. The attacker returned $2 million to the protocol and pocketed $6 million â€” and with it left one audacious message stating, â€œdo you really know flashloan?â€
Value Defi said it suffered a â€œcomplex attack that resulted in a net loss of $6 million.â€
The hacker took out a loan of 80,000 ether from the defi lending platform Aave and also borrowed an additional $116 million in DAI from Uniswap. According to Value Defiâ€™s postmortem of the incident, the attacker swapped the ETH loan for stablecoins and deposited part of the flash-loaned DAI into the protocolâ€™s vault.
He then made a series of stablecoin swaps involving USDT, USDC, and DAI â€” a technique that eventually exploits Value Defiâ€™s vault withdrawal method. Aave developer Emiliano Bonassi exclaimed:
Flash loans allow users to borrow money without collateral because the lender expects the funds to be returned within one transaction block, almost immediately. Hackers have used this loophole in defi to steal millions of dollars.
In its postmortem, Value Defi said it was looking at ways to compensate affected users. It stated that users can claim 20% in DAI from the $2 million that was returned by the hackers. The protocol is also hiking transaction fees to generate income for compensation.
â€œWe will create a compensation fund which will be funded by a combination of the dev fund, insurance fund and a portion of the fees that are currently generated by the protocol,â€ it explained.
The price of Value Defiâ€™s native token, value liquidity, plunged as much as 28% on the day of the attack to $1.99 from $2.76, according to Coingecko data. At press time, the token was trading at $2.05, down 4.9% in 24 hours.
This latest exploit comes just two days after another $2 million heist at defi lending protocol Akropolis.
What do you think about the frequency of flash loan attacks in the defi industry? Let us know in the comments section below.