Value DeFi, which claims to be the most secure protocol in the DeFi field, was attacked by lightning loans. Do they really understand lightning loans?
Original Title: “The Whole Story of Value DeFi Attack, Flash Loan Takes Another 7 Million Dollars This Time “
Written by: rekt
Compilation: Porridge Overnight
In the early morning of November 15th, Beijing time, the decentralized financial protocol Value DeFi was attacked by a flash loan. The attacker transferred about 7 million U.S. dollars from the vault of the Value protocol through complex methods, and then returned 2 million U.S. dollars with attached Sent a mocking message: “Do you really understand lightning loans?” And the day before the attack, Value DeFi publicly declared that it was the most secure protocol in the DeFi field and was able to resist lightning loan attacks.
The original text is from rekt, and the author analyzed the attack.
Do they really understand flashloan?
The value of reputation is unstable, humility can bring stability, and too much boasting will only mess up.
Value DeFi was hacked for $7 million today due to the flash loan attack. This is another painful lesson about flash loans.
- Token price before hacking-$2.73
- Token price after hacking-1.87 USD
Ironically, the day before the hacker attack, the project team posted this tweet:
This tweet was later deleted, but our screenshot is still alive
Although the Value DeFi team boldly declared that their agreement is safe, they don’t seem to know that withdrawals can be made not only through the main contract, but also through the agent from the vault contract.
Value DeFi uses the Curve spot price as an oracle.
The detailed steps of the attack are as follows:
Manipulation occurs in steps 5 and 6.
The withdrawal in the seventh step uses the wrong Curve function for mathematical operations;
Credit comes from @FrankResearcher
15:24-This attack selected a very unfavorable time point for the Value DeFi team, and the time was 20 minutes before they started an AMA event.
At 15:41, a user asked why the agreement lock-up value (TVL) had dropped. Earlier in the day, the Value DeFi lock-up value once exceeded 11 million US dollars.
By 15:49, people’s concerns were growing, and the protocol team members informed everyone that this was a UI bug.
Then at 15:49, someone released the etherscan link in the chat room.
Value DeFi vault funds worth 7 million U.S. dollars were transferred, after which the attacker returned 2 million U.S. dollars and attached the following paragraph:
“Do you really understand flash loans?”
At 16:00, just before the AMA was about to start, Stani Kulechov posted the following tweet to inform everyone what happened.
At the same time, in AMA activities;
The Value team admitted to the attack in the Discord chat room at 16:05, and the AMA problem lasted for 40 minutes, discussing irrelevant topics until…
$FARM, $AKRO, and $VALUE have all become victims of flash loans. They have been severely taught because of the weak agreement, and the attackers have all expressed some “goodwill” by returning some money.
Are these attacks trying to teach us anything?
Flash loans are a controversial topic in the DeFi field. In recent months, they have been the main cause of many attacks and vulnerabilities. However, it can be said that flash loans are only accelerating our learning process and helping to eliminate weaknesses. protocol.
If there is no flash loan, there may be “whales” that can do this in the future. We’d better go through this process at the origin stage of decentralized finance (Defi), because people who are ready to take risks are experimenting, trying, and releasing new ones every day. product.
Flash loans are here to teach those adversaries why they should be humble. They are at the apex of DeFi, which is impossible anywhere else. Flash loans are a perfect example of the new features that DeFi technology brings.
This is a feature of DeFi, not a use of code.
The most powerful protocols will not be affected by these attacks, and some can even benefit from them.
It can be said that flash loans have forcibly raised the threshold for DeFi developers.
Before the new standards are met, people and protocols will be attacked, which will be painful, and it will be public, but because of this, we need to learn. DeFi will become stronger, and we will develop better practices, stronger codes, and a safer environment for future users.
Source link: rekt.ghost.io
