Hacker Steals $2.8 Million from Yearn.finance Proving Blockchains Hackable
Yearn.finance was left troubled on Thursday evening as an unidentified individual stole $2.8 million from a shared digital “vault” on the investment website. The hacker exploited the vault using Aave, a platform that allows users to make flash loans to borrow and lend money without collateral.
Yearn.finance has not made any comments on the hack, but this proves that blockchain technology is hackable despite previous beliefs. This incident further shows that, like any other technology, it has its vulnerabilities.
How Yearn Finance Was Hacked
Yearn.finance allows users to deposit funds into collective digital pools called vaults. The vault is then processed as an actively managed mutual fund used for other DeFi offerings to generate additional profits.
In particular, Yearn.finance bases its transactions on Ethereum, a universal cryptocurrency that can be processed with program code for various functions known as smart contracts. Like any other cryptocurrency, Ethereum utilizes blockchain technology to monitor its transactions.
The hacker exploited the vault by giving an Aave flash loan, enabling them to drain the vault before being stopped swiftly.
Reports of the hack were first posted on Discord, a community-centered instant messaging and digital distribution platform, on Thursday evening.
At 4:38 p.m, Jeffrey Bongos, a user on Yearn’s Discord server, wrote asking if anyone knew why the v1Dai vault showed that he had lost thousands of Dai in the last few minutes.
A little after 5 p.m., the Yearn website showed the vault having sustained a 1059% loss. At 5:14 p.m, a member of Yearn.finance’s team wrote on Discord that the attacker got away with 2.8m.
Blockchain is Hackable
Stani Kulechov, the DeFi Aave platform founder, later tweeted the transactions underlying the operation, which included a DeFi protocol suite and an ETH denominated gas fee of over $5,000.
Kulechov wrote that complex exploits with over 160 nested transactions and 8.6 mm gas used (around 75% of the block) resulted in a 2.7 million USD loss.
Blockchain can withstand traditional cyberattacks fairly well, but cybercriminals are developing new approaches specifically for hacking blockchain technology. At first glance, blockchain looks like a robust and transparent system immune from fraud or scams. In fact, MIT reports that hackers have stolen nearly $2 billion worth of cryptocurrency since 2017.
Currently, deposits into strategies have been disabled for v1 DAI, TUSD, USDC, USDT vaults while investigations continue.