Value DeFi fell victim to a complex flash loan attack using Aave and Uniswap which drained their flagship MultiStables vault by $6 million. A starch reminder after the recent exploits of Akropolis protocol and Harvest Finance that DeFi product users need to remember this tech is highly experimental.
To make matters worse for Value DeFi, the MultiStables Vault was flaunted to have these three innovative security features: “1) Flash-loan attack prevention 2) Fake-token attack prevention 3) Re-entrance attack prevention.” The attacker may even have specifically targeted Value DeFi protocol off the back of their boast, as he signed a follow-up transaction with:
do you really know flashloan?
Double Flash Loan Attack
The hacker used a complex process involving a double flash loan. It started with a flash loan of around 80,000 ETH from Aave, and then a flash swap to secure $116 million DAI from Uniswap. At this point, the attacker swapped the ETH for various stablecoins and deposited DAI into Value’s stablecoin vault.
Then the attack exploited the pricing oracle utilized by Value DeFi’s withdrawal method by completing a series of stablecoin swaps in Curve. To summarize, the exploit let the attacker drain around $6.5 million worth of DAI from the multi vault pool before paying back the flash loans. You can see the full transaction here on etherscan.
Value DeFi Compensation Plan
The team plans to create a compensation fund that will use a combination of developer and insurance funds. Along with a percentage of the fees generated by the protocol. However, the proposal is to create an elastic supply IOU “I owe you” token. This would deploy at a 1:1 ratio for every dollar lost by the hack.
- The compensation fund will buy back IOU tokens to burn them until the lost funds have been paid back. Essentially, the team hopes this market pressure will keep the IOU token to hold a $1 peg.
- IOU token will automatically rebase every week to accrue interest, at the rate of 10% APY. This compensates affected farmers for their lack of access to capital.
- IOU tokens will be tradable, meaning affected depositors could exit early even at a profit if there is enough market demand.
Of course, the VALUE token dipped since the attack with the price falling to a new low of $1.90 on Saturday, a drop of over 22% in 24 hours. However, since then the price is stabilizing at $2.05 though it was trading around $2.80 before the attack.
Due to its innovative nature DeFi protocols continue to be vulnerable to ever-expanding attack vectors. Value DeFi states their team has no plans to give up despite the attack. And will come back stronger, with more security, while pushing their roadmap forward!