ValueDeFi flash-loan attack exposes critical lack of due diligence in DeFi

OKEx Insights’ DeFi Digest is a weekly examination of the decentralized finance industry.

DeFi market snapshot

The decentralized finance market maintained its bullish momentum this week as the total value locked in DeFi products rose slightly from $13.65 billion to $13.80 billion.

The decentralized lending market grew by 8% this week as the total borrowing volume reached $3.09 billion. Benefiting from the growth, Maker replaced Uniswap as the overall DeFi leader, with a 17% market dominance level. Compound, meanwhile, maintained its market dominance in the lending sphere, with a 55% share.

The weekly average trading volume of decentralized exchanges rose by 20% and reached $0.53 billion this week. While Uniswap maintained its trading volume dominance of 37%, its position as having the largest liquidity pool was replaced by its primary competitor, SushiSwap.

Flash-loan attacks proving problematic for DeFi

Flash-loan attacks have become a headache for the DeFi community as yield aggregator ValueDeFi became the fifth victim in only three weeks. Following the $34 million loss from Harvest Finance, there have been flash-loan exploits of Akropolis, Origin Protocol and Cheese Bank, with a loss of $2 million, $7 million and $3.3 million, respectively.

ValueDeFi suffered from a $6 million flash-loan exploit on Nov. 14. According to Emiliano Bonassi, a self-described white-hat hacker, the flash-loan exploit on the ValueDeFi protocol was more complex than previous attacks, as two flash loans were used. Hackers took out a flash loan of 80,000 ETH — worth over $36 million — and a $116 million flash loan in DAI from Uniswap to exploit the ValueDeFi protocol, resulting in a net loss of $6 million.

The detailed steps for the attack were illustrated on Bonassi’s Twitter account:

According to an analysis conducted by audit firm PeckShield, the root cause of the ValueDeFi protocol exploit was a bug in its “MultiStablesVaults,” which uses Curve to measure the asset price. Because of the bug, hackers were able to use flash loans to manipulate the price of 3crv tokens. After that, they could burn the minted tokens from the pool to redeem a disproportionate share of 33.08 million 3crv tokens, instead of the normal 24.95 million. Hackers then redeemed the 3crv tokens for DAI, which led to a $7.4 million loss in DAI. (The hackers did, however, returne $2 million to the core developers of ValueDeFi.)

Visit for the full report.

OKEx Insights presents market analyses, in-depth features, original research & curated news from crypto professionals.

Not an OKEx trader? Sign up, start trading and earn 10USDT reward today!

ValueDeFi flash-loan attack exposes critical lack of due diligence in DeFi was originally published in OKEx Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Publication date: 
11/23/2020 - 08:44

The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.