Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 021Flash Loan Attack

Yearn yDAI Vault Curve Manipulation

Yearn's yDAI vault lost $11M (attacker netted $2.8M) when an 11-tx flash-loan sequence skewed Curve 3pool DAI price, forcing bad cycles. Tether froze $1.7M.

Date
Victim
Yearn Finance
Chain(s)
Ethereum
Status
Partially Recovered

On February 4, 2021, Yearn Finance's yDAI vault suffered an 11-transaction flash-loan exploit. The vault lost approximately $11 million; the attacker netted roughly $2.8 million in profit, with most of the difference destroyed in slippage and gas. Tether froze $1.7M of the stolen USDT, mitigating part of the loss.

What happened

Yearn's yDAI vault deployed user DAI into Curve's 3pool (DAI/USDC/USDT) to earn yield. The vault's deposit and withdraw operations priced in and out of the 3pool based on the pool's current internal exchange rates — rates that anyone with enough capital could temporarily distort.

The attack was an elaborate 11-transaction sequence:

  1. Flash-borrowed 116,000 ETH from dYdX and 99,000 ETH from Aave v2.
  2. Used the ETH as collateral to borrow 134M USDC and 129M DAI from Compound.
  3. Deposited large amounts into Curve's 3pool to manipulate the DAI exchange rate within the pool.
  4. Triggered Yearn's yDAI vault to deposit into / withdraw from the 3pool at the manipulated, unfavorable rates.
  5. Each cycle extracted a slice of vault value through the rate imbalance.
  6. Repaid all flash loans, walking with 513,000 DAI + $1.7M USDT + CRV tokens$2.8M net.

The remaining ~$8M of the $11M vault loss was not captured by the attacker — it was destroyed in 3pool slippage and the cost of the manipulation itself, a recurring feature of flash-loan-funded oracle attacks where the protocol's total loss exceeds the attacker's take.

Aftermath

  • Yearn patched the vault strategy to reduce the exploitable manipulation surface within hours.
  • Tether froze $1.7M USDT that the attacker had extracted, recovering it for affected users.
  • Yearn committed to making the vault whole through protocol revenue and treasury allocation.
  • The attacker's remaining proceeds were laundered.

Why it matters

The Yearn yDAI incident is one of the founding flash-loan oracle-manipulation cases of the 2021 DeFi era — early enough that the structural lesson it taught was still being learned across the ecosystem:

Any vault that prices deposits/withdrawals against a manipulable pool's instantaneous exchange rate is exploitable by anyone who can move that pool in the same transaction.

The pattern recurred through 2021-2026 at Harvest Finance, Cream Finance, Belt Finance, and dozens of others. The defensive answer — read prices from time-weighted oracles or external feeds, never from the spot rate of a pool the attacker can touch — was articulated clearly after exactly these incidents.

The $11M loss / $2.8M attacker profit ratio is also instructive: roughly 75% of the economic damage was destroyed, not stolen. This is a recurring feature of flash-loan oracle attacks and means headline "amount stolen" figures consistently under-state the true protocol cost.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/tech/2021/02/04/yearn-finance-dai-vault-has-suffered-an-exploit-11m-drained
  2. [02]slowmist.medium.comhttps://slowmist.medium.com/slowmist-an-analysis-of-the-attack-on-rari-31bbca767ec2
  3. [03]decrypt.cohttps://decrypt.co/56659/14-million-gone-in-yearn-finance-exploit

Related filings