CertiK: Yearn.Finance exposed a vulnerability, with a total loss of about 71 million RMB

Original title: "CertiK: Yearn.Finance revealed a vulnerability, DeFi suffered another blow, this article will take you to find out the whole incident"

Original source: CertiK

On February 5, according to DeBank data, the actual locked amount of DeFi exceeded 47 billion US dollars, setting a historical high. At the time of writing this article, it was 47.83 billion US dollars, which is approximately equivalent to 309.5 billion yuan.

2020 is known as the "first year of DeFi". Driven by the "liquidity mining" pioneered by Compound, DeFi has achieved a historic explosion, but its security risks remain high. In the early morning of February 5th, Beijing time, the CertiK security technology team discovered that the DeFi project Yearn.Finance was attacked. The total loss of the attack was as high as about 71 million yuan, and the hacker made a profit of about 18 million yuan. The hacker obtained the attack start-up funds through flash loans and took advantage of the Yearn project code loopholes to complete the entire attack.

Screenshot of the attacker's profit

The attack included 11 transactions that took advantage of the vulnerability to make a profit and 3 transactions to convert tokens. The transaction list is as follows:

Except for 3 token conversion transactions, the remaining 11 profitable transactions all targeted the same vulnerability and used the same attack method to complete the profit. The general attack flow chart is as follows:

The specific steps are as follows:

-Use flash loans to raise the initial funds needed for the attack.

- Exploiting a loophole in the Yearn.Finance contract, DAI and USDT were repeatedly deposited and withdrawn from 3crv in order to obtain more 3Crv tokens. These tokens were converted to USDT and DAI stablecoins in the subsequent 3 conversion token transactions. After completing 5 repeated DAI and USDT deposit and withdrawal operations from 3crv, the flash loan was repaid.

-The CertiK security technical team is currently reviewing the vulnerabilities in Yearn.Finance. More details of the vulnerabilities will be explained in subsequent analysis.

Summarize

Interactions in the crypto world are often accompanied by certain risks, and investing in secure projects will bring longer-term returns.

High returns are always accompanied by high risks, and the outbreak of this vulnerability is also a warning to the DeFi field.