Following a Twitter thread on Friday that highlighted the decentralized finance protocol’s flash loan exploit prevention methodology, Value DeFi appears to have been the victim of a $6 million flash loan exploit.
At roughly 10:45 AM EST, a user took out a flashloan of 80,000 ETH (over $36 million) from lending protocol Aave. Aave developer Emilio Frangella immediately called attention to the loan:
— Emilio Frangella (@The3D_) November 14, 2020
The attacker then used the funds to conduct a flash loan arbitrage attack, targeting Value DeFi’s multi-stablecoin vault. The attacker deposited funds in the vault, arbitraged the funds between DAI and USDC, and exited with a multi-million payday.
At 11:05, a statement in the community Discord acknowledged the exploit:
We are aware of the current situation with the MultiStables vault. Please give us a bit time to check. Every other vaults and pools are working normally.
Shortly after the exploit, the attacker followed up with an Ethereum transaction that seemed to taunt the Value DeFi protocol with a message sent to the protocol’s deployer address:
“do you really know flashloan?”
The attacker paid $.31 in ETH from his profits to send the message.
At 12:12, the protocol said in a statement on Twitter that they were preparing a postmortem on the exploit, which they said led to a loss of $6 million for users:
The MultiStables vault was the subject of a complex attack that resulted in a net loss of $6M. https://t.co/dnFRa5yPBJ
We are currently working on a postmortem and are exploring ways to mitigate the impact on our users.
— Value DeFi Protocol (@value_defi) November 14, 2020
Since the attack, the the value of the $VALUE token has plunged over 25%, from 2.73 to 2.01 at press time.
This exploit is just the latest in what has been a troubling week across the DeFi space that also featured an attack on the Akropolis protocol. In a tweet Stani Kulechov of Aave signaled that the exploit is a sign of expanding attack vectors:
“Building resilient DeFi is becoming difficult.”