On Thursday evening, an unknown entity stole $2.8 million from a shared digital “vault” on the investment website Yearn.finance, the culprit exploited the vault using Aave, an open-source cryptocurrency platform that allows people to make “flash loans,” a rapid borrowing and repaying of money without the need for collateral. An unknown person was able to steal $2.8 million from a shared digital “vault” on Yearn.Finance, a service that allows users to deposit their funds in collective digital pools. Vault funds are then used in other “decentralized finance” (DeFi) offerings with the goal of generating additional earnings for the vault’s depositors.
Yearn.finance has yet to issue a full report explaining exactly what happened, but the theft may show that blockchains, a security technology behind cryptocurrency transactions once thought to be “unhackable,” actually have vulnerabilities. To understand what happened, one must understand a little bit about how Yearn.finance works. Yearn.finance allows its users to deposit funds in collective digital pools called “vaults.” The vaults are then handled like actively managed mutual funds, with the funds used in other “decentralized finance” or “DeFi” offerings with the goal of generating additional earnings.
Specifically, Yearn.finance bases its transactions on Ethereum, a versatile cryptocurrency that can be processed through programming codes for various functions, called “smart contracts.” Like other cryptocurrencies, Ethereum tracks all of its uses through blockchains, digital records that store information of every transaction and are verified by multiple computers in a decentralized network. In this case, the thief exploited the vault by issuing an Aave flash loan, allowing them to quickly drain the vault before they could be stopped. News of the theft first broke on Discord, a community-centered instant messaging and digital distribution platform on Thursday evening.
At 4:38 p.m., Jeffrey Bongos, a user on Yearn’s Discord server, wrote, “Anyone know why v1Dai vault is showing that I’ve lost thousands of Dai in the last few minutes?” His comment was reported by Yahoo! Finance. Bongos’ mention of “DAI” refers to a type of “stable coin” designed to maintain 1-to-1 parity between Ethereum and the U.S. dollar. Simply put, the Ethereum pooled in the vault was expressed in U.S. dollars. A little after 5 p.m., the Yearn website showed the vault having sustained a loss of 1059 percent. At 5:14 p.m., a member of Yearn.finance’s team wrote on Discord, “Attacker got away with 2.8m.” While details of the transaction are publicly available on Etherscan a website that contains blockchain information such as digital addresses where transactions originated from, cryptocurrency prices and other activities Yearn.finance has not yet revealed additional information about the culprit, their method or location.
When cryptocurrencies first emerged, advocates said that blockchain technology would prevent theft because multiple computers in a non-centralized network would have to validate each and every transaction. However, a February 2019 report by the MIT Technology Review stated that hackers have stolen nearly $2 billion worth of cryptocurrency since the start of 2017, partly because they’ve figured out ways to hack blockchains by exploiting poor security features on web servers and on websites that operate as cryptocurrency exchanges.