Value DeFi Flash-Loan Oracle
Value DeFi's MultiStables vault lost $7M to a flash-loan manipulation of the Curve 3pool price used by its strategy, an early canonical case of the pattern.
- Date
- Victim
- Value DeFi
- Chain(s)
- Status
- Partially Recovered
On November 14, 2020, Value DeFi's MultiStables vault lost approximately $7 million to a flash-loan manipulation of the Curve 3pool price its strategy relied on. The attacker borrowed large stablecoin amounts, skewed the 3pool, made the vault deposit/withdraw at unfavorable rates, and pocketed the difference (returning ~$2M afterward).
What happened
The vault priced strategy operations from the manipulable Curve 3pool spot rate. A flash loan skewed the pool; the vault transacted at the bad rate; the attacker extracted ~$7M, repaid the loan, and later returned ~$2M.
Aftermath
- Value DeFi paused and reimbursed partially; attacker returned a portion.
Why it matters
Value DeFi (Nov 2020) is one of the earliest canonical flash-loan vault-oracle exploits, alongside Harvest Finance (Oct 2020) and the bZx pair (Feb 2020). It is, in effect, a founding document of the single most-repeated pattern in this entire catalogue. Everything that follows — Cream, Belt, Cetus, hundreds of others — is a variation on what Value DeFi demonstrated in November 2020: price a vault from a pool an attacker can move in the same transaction, and the vault is an open faucet. The defense was articulated immediately after these 2020 incidents and has been freely available, and routinely unused, ever since.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-value-defi-hack-november-2020
- [02]rekt.newshttps://rekt.news/value-defi-rekt