At 23:36 on November 14th, Beijing time, hackers carried out a lightning loan attack on the Value DeFi protocol and lost nearly 7.4 million U.S. dollars in DAI. After stealing the tokens, the hacker also left a message “do you really know flashloan?” to provoke the development team.
One hour later, Value DeFi officially tweeted to confirm that MultiStables vault had suffered a complex attack with a net loss of US$6 million. It is currently undergoing post-mortem analysis and is exploring how to reduce the impact on users.
CoinGecko’s quotation shows that its VALUE token has fallen since zero, with the lowest hitting $1.87 and the highest drop of 31.75%. It has since rebounded slightly and is now quoted at $2. Value DeFi currently locks a total of 32.8 million US dollars.
The logic of this incident is similar to the previous Harvest attack. PeckShield sent a shield to analyze the incident and believe that the reason for the success of this attack is that the project code has a loophole in the price oracle machine based on the AMM algorithm.
We analyze the transaction based on the attack (0x46a03488247425f845e444b9c10b52ba3c14927c687d38287c0faddc7471150a). The attacker’s malicious attack contract is (0x675BD0A0b03096c5ead734cFa00C7620538C7C6F).
Step 1: Obtain 80,000 ETH through Aave Lightning Loan (approximately 36.8 million US dollars at US$460).
Step 2: Get 116 million DAI (Empty Glove White Wolf) in UniswapV2 Lightning Loan. Next, the 0x675B malicious contract will execute the following content.
Step 3: Exchange the 80,000 ETH obtained in step 1 into 31 million USDT on UniswapV2.
Step 4: Deposit 25 million DAI on Vault DeFi and get 24.9 million pooltokens minted by the pool. At this time, the Vault DeFi agreement will mint 24.956 million new 3crv tokens.
Step 5: Change 90 million DAI to 90.28 million USDC on Curve. This step will affect the balance of the 3pool (that is, DAI/USDC/USDT) pool on the Curve, and then raise the price of USDC.
Step 6: Change 31 million USDT to 17.33 million USDC on Curve. At this point, you can see that the USDC exchange price has a big deviation. After this step is completed, the price of USDC in the 3pool pool on Curve will be further increased.
Step 7: Destroy the previously minted 24.9 million pooltokens on Value DeFi. This part of the pooltokens has redeemed another 33.08 million 3crv (we can calculate that it is 8.124 million more than the minting. This is because DAI is cheaper, so redeem it The number of 3crv has increased).
Next, the hacker performed the reverse operation on Curve again, earning approximately 860,000 DAI:
Step 8: Exchange 17.33 million USDC on Curve for 30.94 million USDT.
Step 9: Exchange 90.28 million USDC to 90.92 million DAI on Curve.
Step 10: Destroy 33.08 million 3crv in 3pool to redeem 33.11 million DAI, which is 8.154 million DAI more than the number of tokens at the time of deposit.
Value attack analysis: for a set of 7.4 million US dollars, the hacker loaned 150 million US dollars. Finally, the remaining steps: return Aave’s flash loan and UniswapV2’s tokens in step 2
After this attack, the hacker returned 2 million DAIs to the Value DeFi developer (0x7Be4D5A99c903C437EC77A20CB6d0688cBB73c7f), and retained 5.4 million DAIs.
