The yDAI Incident Analysis: Forced Investment

Summary

This incident was due to a flawed logic in allowing for forced investment of a non-profitable strategy. The flashloan has been utilized to influence the targeted strategy so that it becomes not profitable at the specific transaction of exploitation. This nature of the flaw is the same as an earlier issue related to the TUSD vault, though the slippage control is still in place and the attack is profitable because the withdraw fee has been turned off for vault migration. The consequence of this attack directly result in about $11M loss from the affected yDAI vault. Our initial analysis shows that the attacker grabs $2.8M, and the curve pool gets $3M.

Details

The Forced Investment Vulnerability

In the following, we analyze this specific attack as demonstrated in the transaction of 0x6dc2…e027. This attack can be divided into five distinct steps:

  1. It firstly flashloans from dYdX and AaveV2;
  2. It next performs unbalanced trades on 3pool so that the affected strategy (StrategyDAI3pool) becomes non-profitable;
  3. It then deposits DAI into yDAI vault and triggers the investment (earn()) into the non-profitable strategy, which further deteriorates the unbalanced state of 3pool;
  4. It profits from the unbalanced 3pool from the previous two steps; and
  5. It repeated the above steps to comply with imposed 0.5% slippage control in the strategy and finally pays back the flashloans in the first step. For illustration, we show below the related steps.

The Funds

This attack leads to $11M loss from the affected yDAI vault. And our initial analysis shows that the attacker grabs $2.8M, and the curve pool gets $3M.

About Us

PeckShield Inc. is an industry leading blockchain security company with the goal of elevating the security, privacy, and usability of the current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store