Yearn.finance founder Andre Cronje’s game project eminence.finance was attacked by lightning, technical analysis of attack details.
Original Title: “The Whole Story of Andre DeFi”
Written by: Xiaodao, former Google engineer, founder of Y3D
Memento te hominem esse: Remember that you are just a person.
—— “A Brief History of World Languages”, a well-quoted Latin phrase
This is not the first time Andre has overturned. Earlier this year, when Andre first started building yCrv, there was an accident that caused an early user to lose $14w.
After this incident, Andre’s top tweet was the famous Disclaimer.
And just in the middle of this month, YFI’s community project SAFE also had insider trading, buying large insurance policies in advance. Although it is not the direct responsibility of Andre, it still has a certain impact on YFI’s community.
The accident that happened yesterday is far more serious than the previous accidents, both in terms of the amount of damage and the number of people affected. And the accident principle is simpler, it can be used as an introductory tutorial for Flashloan. So that Andre couldn’t write a decent Postmortem to explain.
Accident principle
Flashloan must be familiar to everyone. During this year’s EtherDenver, the DeFi project bZq had several consecutive accidents. The second attack is not a loophole in the contract code, but a flaw in the contract design-all contracts are performing work according to a predetermined design, but when these contracts are combined, a risk-free arbitrage is possible. Because the attacker needs to complete the “borrowing” and “repayment” operations at the same time within a tx, this attack method is called Flashloan (Flashloan). DragonFly researcher Haseeb Qureshi once wrote that this type of attack will become the “New Normal” in DeFi development.
Accident contract
https://etherscan.io/address/0x5ade7ae8660293f2ebfcefaba91d141d72d221e8
https://etherscan.io/address/0xc08f38f43adb64d16fe9f9efcc2949d9eddec198#code
Hacker address
https://etherscan.io/tx/0x3503253131644dd9f52802d071de74e456570374d586ddd640159cf6fb9b8ad8
We can see that the hacker initiated a total of three Create Contract operations, and after they succeeded, they still returned half of them 🤦♀️. (Good job is a reward…)
Look at some of the victims Case, such as the brother took 390 ETH buy EMN , only an hour later sold back to one .
Another example is the tweeted brother @spzcrypto who was still retweeting @eminencefi a few hours ago. The next push will be got rekt.
It doesn’t look like it was acting at all, and there must be many similar victims.
Although the attack contract is not open source, observing these tx inline transfers shows that this is a standard lightning loan ⚡️ process. It is easy to restore the attack principle. The following thread describes the attack process in detail:
https://twitter.com/bkiepuszewski/status/1310901151311835136
If you are confused about how hackers successfully squeezed out the $EMN contract, here is the specific mechanism. The EMN contract allows you to use DAI as a reserve fund to mint EMN. It uses a standard Bancor-like curve-DAI is used as the reserve currency of EMN, and the price of EMN tokens is determined by the number of EMNs and the number of reserve currencies. The second type of token, eAAVE is similar, but there is a small but important difference-it uses EMN as a reserve currency, but it is “virtual”-if you mint eAAVE by sending EMN tokens to it, Instead of storing your EMN in a reserve, the eAAVE contract will actually destroy the EMN. This interaction allows the attacker to perform the following transactions (all transactions are performed atomically in one transaction-that is, flash loan ⚡️).
The following is the complete attack process:
- Get 15m DAI from Uniswap in a flash loan ⚡️.
- Use your DAI to mint as much EMN as possible (ignoring the price).
- Use half of the EMN to cast eAAVE. This will consume EMN, reduce the total supply, and increase the price of EMN.
- Sell your second half of the EMN at the price of 10m (note that this is much more than the principal of the 7.5m DAI).
- Sell your eAAVE now, get back your first half of EMN, and lower the price of EMN.
- Sell back your first half of EMN at the price of 6.649m.
- Return 15m lightning loan ⚡️ to Uniswap and enjoy 1.67m profit.
- Repeat the above strategy three times.
Hackers can find the loopholes in the contract in such a short time, so the community speculates that it is also an insider crime. Although Test in Prod is Andre’s standard practice, today’s halo of the father of YFI above Andre’s head has a different impact on the community. As the saying goes, the greater the power, the greater the responsibility. In fact, Andre himself can’t shirk the blame for such an accident.
Follow-up
YFI’s currency price was implicated by this accident and plunged by 16% yesterday.
Andre himself also stated that he received personal threats from many victims (DeFi Xuyuanxuan?). Then Andre said that he would permanently store his long-used legendary account Yearn.Deployer and would no longer use Twitter Shill’s own new projects.
As I am receiving a fair amount of threats, I have asked yearn treasury to assist with refunding the 8m the hacker sent.
—— https://twitter.com/AndreCronjeTech/status/1310774715359924228
Thank you for the feedback today. I have read two primary criticism and both seem to be related to the public nature of this twitter account and the public nature of my ETH address. Going forward, I will not use either for new projects I am working on.
—— https://twitter.com/AndreCronjeTech/status/1310864406000041984
At the same time, Andre also lost his right-hand man, YFI community KOL, and @Bluekirby, who was the first to shill and witnessed the entire process of being hacked, said that he would resign from the YFI community.
So far, the impact of the incident is still in fermentation.
Reference
YFI plummeted by 12%, founder Andre’s new project Eminence was hacked
Comments
Post a Comment