Value DeFi

Value DeFi Hack - November 2020

Value DeFi Flash Loan Exploit - November 2020

Value DeFi was exploited for $7.4 million via a flashloan attack, and shortly after, $2 million was returned to the project. The exploit occurred in mid-November 2020 and targeted the protocol's MultiStables vault.

Attack Mechanics

The attacker sourced an 80,000 ETH flashloan from Aave and an additional $116 million flash loan in DAI from Uniswap, then swapped the flash-loaned ETH for stablecoins, deposited part of the flash-loaned DAI into Value DeFi's multi-stablecoin vault, and conducted a series of stablecoin swaps between USDT, USDC, and DAI designed to exploit the pricing used by the Value DeFi vault's withdrawal method.

Root Cause

Value DeFi was the victim of a flash loan attack as a result of its centralized price oracle, with the hack relying on a centralized price feed to confirm prices in the vault—making it vulnerable to manipulation.

Aftermath

Following the exploit, the Value DeFi team decided to decentralize its price oracle and chose Chainlink as their solution to prevent similar attacks in the future.

Sources

• https://coingeek.com/7-4-million-stolen-in-value-defi-exploit/

• https://cointelegraph.com/news/value-defi-protocol-suffers-6-million-flash-loan-exploit

• https://cryptobriefing.com/value-defi-drained-millions-flash-loan-attack/

• https://decrypt.co/48892/value-defi-hacked-chainlink