Aftermath of Value DeFi $6M Flash Loan Attack

Value DeFi fell victim to a complex flash loan attack using Aave and Uniswap which drained their flagship MultiStables vault by $6 million. A starch reminder after the recent exploits of Akropolis protocol and Harvest Finance that DeFi product users need to remember this tech is highly experimental.
The MultiStables vault was the subject of a complex attack that resulted in a net loss of $6M. https://t.co/dnFRa5yPBJ
— Value DeFi (@value_defi) November 14, 2020
We are currently working on a postmortem and are exploring ways to mitigate the impact on our users.
To make matters worse for Value DeFi, the MultiStables Vault was flaunted to have these three innovative security features: “1) Flash-loan attack prevention 2) Fake-token attack prevention 3) Re-entrance attack prevention.” The attacker may even have specifically targeted Value DeFi protocol off the back of their boast, as he signed a follow-up transaction with:
do you really know flashloan?
Double Flash Loan Attack
The hacker used a complex process involving a double flash loan. It started with a flash loan of around 80,000 ETH from Aave, and then a flash swap to secure $116 million DAI from Uniswap. At this point, the attacker swapped the ETH for various stablecoins and deposited DAI into Value’s stablecoin vault.
Giga arbitrage/exploit https://t.co/iP8ivD8PRl https://t.co/zP6nh0PUkS pic.twitter.com/KMPX4LeM3U
— emiliano.eth 🦇 🔊 (@emilianobonassi) November 14, 2020
Then the attack exploited the pricing oracle utilized by Value DeFi’s withdrawal method by completing a series of stablecoin swaps in Curve. To summarize, the exploit let the attacker drain around $6.5 million worth of DAI from the multi vault pool before paying back the flash loans. You can see the full transaction here on etherscan.
Value DeFi Compensation Plan
The team plans to create a compensation fund that will use a combination of developer and insurance funds. Along with a percentage of the fees generated by the protocol. However, the proposal is to create an elastic supply IOU “I owe you” token. This would deploy at a 1:1 ratio for every dollar lost by the hack.
- The compensation fund will buy back IOU tokens to burn them until the lost funds have been paid back. Essentially, the team hopes this market pressure will keep the IOU token to hold a $1 peg.
- IOU token will automatically rebase every week to accrue interest, at the rate of 10% APY. This compensates affected farmers for their lack of access to capital.
- IOU tokens will be tradable, meaning affected depositors could exit early even at a profit if there is enough market demand.
Of course, the VALUE token dipped since the attack with the price falling to a new low of $1.90 on Saturday, a drop of over 22% in 24 hours. However, since then the price is stabilizing at $2.05 though it was trading around $2.80 before the attack.
Due to its innovative nature DeFi protocols continue to be vulnerable to ever-expanding attack vectors. Value DeFi states their team has no plans to give up despite the attack. And will come back stronger, with more security, while pushing their roadmap forward!