On November 18, the DeFi protocol Yearn.Finance’s (YFI) native token and the decentralized exchange (DEX) dYdX were reportedly hit by a $9 million attack. According to reports, the attackers exploited a longstanding issue with the underlying Ethereum blockchain, which allowed them to bypass the two protocols’ rules and liquidate millions of YFI tokens and hundreds of Ethereum (ETH) at the DEX.
The technical issue involved a timing gap in users’ ability to use flash loans to liquidate assets. Flash loans are a kind of loan that can be completed in a single transaction. The loans are made off-chain and can be used to take advantage of inefficiencies in financial and insurance products. The attack exploited the fact that flash loans don’t have an accompanying collateral until after the loan has been completed, allowing the attackers to bypass rules that require users to have collateral before completing a loan.
Once the attackers had bypassed the DEX’s rules, they liquidated millions of YFI tokens at a rate of two-to-one. Meaning, the attackers received double the amount of ETH they put up as collateral. The attack also caused a massive spike in the DEX’s fees, a phenomenon known as transaction fee exploitation. Fortunately, the attack was contained and DEX’s smart contracts are now safer than ever. In the aftermath of the attack, YFI tokens and Ethereum locked up at the DEX have returned to their previous levels.