Yearn.finance (YFI) rapidly fixes “attack vector” similar to one used on $1b protocol Harvest – CryptoSlate

Harvest Finance, what used to be a $1 billion yield farming protocol on Ethereum, underwent a brutal attack last week that wiped approximately $30 million from user accounts. 

The pseudonymous attacker leveraged a flash loan, along with a series of manipulative transactions between Curve, Uniswap, and Harvest, that allowed them to drain millions of dollars worth of stablecoin from Harvest’s pools.

Reports indicate that the attacker could have kept on going and withdrawn close to $1 billion of stablecoin and tokenized Bitcoin deposits in the protocol but opted against doing so for an unexplained reason.

This attack highlighted how flash loans can be used to exploit economic vulnerabilities within DeFi protocols and pool to the tune of millions of dollars.

Whether it’s unclear whether or not he was inspired by the Harvest Finance attack, a security researcher in the space found a similar economic flaw within Yearn.finance, the original yield aggregator. Fortunately, instead of exploiting this flaw, he reported it to the Yearn.finance team.

Yearn.finance developers rapidly fix big

As reported by lead Yearn.finance developer Artem “Banteg” K, on Oct. 29 the team behind the protocol was contacted by security researcher Wen-Ding Li through the requisite security disclosure channels.

Wen-Ding Li described a potential attack vector of a flash loan attack that could take place on Yearn.finance’s TUSD Vault. Yearn.finance’s core product is its Vaults, which operate strategies that automatically yield farm with the deposited token in each Vault.

“Having established contact, Wen-Ding discloses that he
Source…

|

.