Value Protocol (VALUE), a decentralized financial protocol (DeFI) that offers sophisticated "yield farming" strategies, has suffered a complex attack. According to security experts, it closely resembles a recent attack on another DeFi, Harvest Finance.
Multistable vault of Value Protocol exploited
According to an official announcement by the protocol team, the attack that was registered late on Nov. 14 targeted the Multistable vault, one of the elements of the product's "yield farming" ecosystem. The Multistable vault worked with DAI, USDT, USDC, BUSD stablecoins and the Curve Protocol (CRV) token.
Seasoned developer Valentin Mihov, former chief technology officer of Santiment, explained how the attackers managed to obtain a seven-digit sum in the blink of an eye. According to Mihov, the malefactors borrowed Ethers and DAI from Aave Protocol (AAVE) to Uniswap (UNI). Part of this sum was immediately sent to Value's Multistable vault.
Then, they exchanged their bags into USDC on a massive scale, inflating its price in one of Curve's liquidity pools. As a result, they withdrew liquidity from the Multistable vault with almost $8 mln in profit.
Attackers sent $2 mln to Value Protocol developers and then disappeared with $5.5-$6 mln. Mihov noted the vulnerability of the Shareconverter contract that calculates exchange rates between different Curve Protocol (CRV) pools in USDC equivalent.
Observers noted that this attack was performed in a manner close to the design of the recent attack on Harvest Protocol DeFi. Meanwhile, Harvest attackers used a single liquidity pool on Curve while, in Value's case, multiple pools were affected.
The Value Protocol team has shared the first details of the compensation program. As the user interface of the protocol is now restored, anyone can claim 28.3 percent of his/her deposit. An additional 20 percent of the deposit will be compensated in DAI from the $2 mln sent by attackers.
Finally, developers are working on a program that would compensate the rest of the losses (52 percent):
The plans for compensation on the remaining 52% are being worked on with the utmost importance (...) We aren't going anywhere and plan to keep building an innovative #DeFi platform accessible to everyone!
Unfortunately, "flash loan" attacks are common for the emerging DeFi segment. As covered by CryptoComes, bZx protocol survived three attacks in a row, with $8 mln lost in the last one.