It appears that Value DeFi has become the victim of a flash loan exploit that cost them $6 million. This occurred after a Twitter thread had provided details about a prevention method that could be used for similar exploit technology on Friday. The incident took place on Friday before Aave Protocol’s developer, Emilo Frangela had raised an alarm regarding the exploited loan. A flash loan had been removed by a user from the lending protocol of about 80,000 ETH, which was valued at $36 million at that time. A self-described hacker and the co-founder of DeFi Italy, Emiliano Bonassi revealed that the hacker had gone as far as attacking Uniswap as well because an extra flash loan worth $116 million had also been removed.
Bonassi disclosed that the attacker had taken stablecoins and used the flash-loaned ETH for replacing them. Some of the flash-loan DAI had been kept to the multi-stablecoin vault of DeFi. Later on, the attacker had carried out a number of swaps of stablecoin between USDT, USDC and DAI. The purpose had been to introduce an exploit on the pricing that was used by Value DeFi in their withdrawal method. In a recent interview, he revealed that this particular attack was one of the most sophisticated ones that he had seen in a long time, even though it bore quite a resemblance to the Harvest Finance attack.
As a matter of fact, Bonassi also stated that it was the first time that he had seen the use of two flash loans by a threat actor in a single attack. Later that night, a statement was released by the community Discord, where they admitted that a flash loan attack had indeed occurred. The board acknowledged that they were fully aware of the existing situation where the MultiStables vault is concerned. The statement further asked the users to exercise patience, while the situation was being investigated by the developers.
Moreover, the users were also informed that other than the attacked vault, all other vaults were functioning properly. A couple of minutes after the attack, an ETH transaction had been carried out by the threat actor where he allegedly taunted the Value DeFi protocol through a message that was delivered to the address of the deployed protocol. The statement asked them if they really knew flash loan. In order to deliver this message, the threat actor had to pay for the message, which meant moving $.31 from his hacking rewards.
The protocol had made an announcement shortly afterward on Twitter that they were gearing up for a postmortem of the attack, which had resulted in a loss of around $6 million for the users. Due to the attack, the $VALUE token saw its value depreciate from 2.73 to 2.01. This is a reduction of more than 25%. This particular attack is one of the numerous setbacks that have occurred within the DeFi (decentralized finance) space in the last two weeks. This also included an attack that occurred on the Akpropolis protocol.