Started at 21:49:07 PM +UTC, Feb. 4, 2021, the yDAI vault contract was exploited to result in about $11M loss. The incident was due to a flaw in allowing for a forced investment into a strategy, i.e.,
StrategyDAI3pool, which is manipulated to be not profitable at the investment moment. Here we elaborate the technical details of the issue in this blog post.
This incident was due to a flawed logic in allowing for forced investment of a non-profitable strategy. The flashloan has been utilized to influence the targeted strategy so that it becomes not profitable at the specific transaction of exploitation. This nature of the flaw is the same as an earlier issue related to the TUSD vault, though the slippage control is still in place and the attack is profitable because the withdraw fee has been turned off for vault migration. The consequence of this attack directly result in about $11M loss from the affected yDAI vault. Our initial analysis shows that the attacker grabs $2.8M, and the curve pool gets $3M.
The Forced Investment Vulnerability
In the following, we analyze this specific attack as demonstrated in the transaction of 0x6dc2…e027. This attack can be divided into five distinct steps:
- It firstly flashloans from dYdX and AaveV2;
- It next performs unbalanced trades on 3pool so that the affected strategy (
StrategyDAI3pool) becomes non-profitable;
- It then deposits DAI into yDAI vault and triggers the investment (
earn()) into the non-profitable strategy, which further deteriorates the unbalanced state of 3pool;
- It profits from the unbalanced 3pool from the previous two steps; and
- It repeated the above steps to comply with imposed 0.5% slippage control in the strategy and finally pays back the flashloans in the first step. For illustration, we show below the related steps.
It is interesting to note that the affected strategy has enforced the slippage control (0.5%). However, the withdraw fee (originally 0.5%) has been somehow turned off (for migration), which makes the exploit profitable. In order to comply with the enforced slippage control, the actor has repeated the above 3 and 4 steps to avoid the attack from being reverted. After the hack, the team has immediately taken measures to disallow the forced investment!
This attack leads to $11M loss from the affected yDAI vault. And our initial analysis shows that the attacker grabs $2.8M, and the curve pool gets $3M.
The attacker’s funds from the above exploitations are currently held in this wallet: 0x14ec. We are actively monitoring this wallet for any movement.
PeckShield Inc. is an industry leading blockchain security company with the goal of elevating the security, privacy, and usability of the current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.