An attacker stole six million dollars from the Value DeFi platform, in the most recent episode of vulnerability detected in so-called decentralized finance services. The operator took advantage of the weaknesses of the system through arbitrage operations. After the malicious act, the person involved received pleas from two users to return the funds, something that was partially addressed.
The forensic report pointed out that the user took advantage of the vulnerability in the following way: he made a flash loan on the Aave platform for 80,000 ethers, about 36 million dollars at that time. The funds were used in part to buy 116 million DAI and 31 million Tether.
It subsequently exchanged 25 million DAI for the stablecoin mvUSD, 91 million DAI for USDC and 31 million USDT for 17 million USDC. The swaps were used to alter the price and method used for vault withdrawals used by Value DeFi.
The platform admitted that the vault code had not been audited and that the attacker took advantage of two vulnerabilities: “The deposit of users in the vault did not verify (the existence) of smart contracts in the ‘Bank’ layer”.
The second vulnerability would be related to the poor implementation of a convertibility function implemented without taking into account a potential fast loan attack, as highlighted in the post-mortem report.
Return of funds and the security of DeFi
According to information from Etherscan, the attacker returned $ 95,000 in DAI to two users who begged for their funds. It is about a nurse and a 19-year-old young man who left incoming messages on the Ethereum blockchain, the base network on which most DeFi works.
The nurse stated that she lost $ 100,000 in the attack and that it represented all of her life savings. The young man said that he learned his lesson after losing $ 200,000, which was creating a family “problem” since he had received the funds to obtain a “high performance.”
A nurse begged the attacker for the return of the $ 100,000 he lost from the Value Defi incident. Source: Etherscan.
The attacker responded by saying, “I don’t expect to get your money, but as we have seen, there are many people here who lack knowledge and caution, and sooner or later that money will be lost. Some wounds are painful, but very effective. I respect your work very much, have a good day.
The attacker said that there are people who lack “knowledge and caution” in handling funds. Source: Etherscan.
To mitigate losses, Value DeFi proposed creating a compensation plan that will have mixed financing to restore funds stolen by the attacker. The initiative would receive resources from the development fund, the insurance fund, and a portion of the fees currently generated by the protocol.
What happened caused the price of the VALUE token to plummet by more than 25%, going from $ 2.79 per unit last Friday to $ 1.90 on Saturday. At the time of publishing this article, its price is $ 2.03, according to CoinGecko metrics.
“Future vault releases will remain only in the audited code (v1) and the v2 (unaudited) will only be released after being heavily audited by public auditors and developers of public strength,” explained the platform.
Attacks on DeFi protocols have been recurring over the past year. Malicious operators they take advantage of the exposed weaknesses of these decentralized finance services within minutes. The Value DeFi situation came just two days after another service, Akropolis, suffered losses of 2 million DAI.
According to a report released by CriptoNoticias last week, in 2020 there have been fewer crimes with cryptocurrencies, but more hacks in DeFi. According to the firm CipherTrace, attackers have made 98 million dollars so far in 2020 by violating services of this type.
One of the most notorious cases recently was the DeFi Harvest protocol. The malicious operator stole $ 24 million after obtaining a $ 50 million flash loan from Uniswap and transacting on USDC and Tether (USDT), resulting in price swings that were exploited.