Value DeFi: Flash loan + Curve spot price oracle manipulation → inflated collateral → over-borrow drain
Value DeFi lost ~$7M when an attacker used a $231M flash loan to double their Curve LP oracle price and borrow stablecoins far beyond actual collateral value — hours after the team tweeted "we are smarter than most in terms of flash loan protection."
Summary #
Value DeFi suffered a Yield Aggregator / Lending Vault on 2020-11-14, resulting in a loss of approximately $7M.
What happened #
Value DeFi lost ~$7M when an attacker used a $231M flash loan to double their Curve LP oracle price and borrow stablecoins far beyond actual collateral value — hours after the team tweeted "we are smarter than most in terms of flash loan protection."
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-053 — causal : ★ Spot DEX pool oracle without TWAP — root cause [via realtime_signals/Oracle anomaly: Y — Curve spot price doubled during attack; observable if monitored]
- RD-F-078 — causal : Chronic flag (≥3 prior exploits) [via cross-hack: Factor 59: Three-or-More Exploit History]
- RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — Curve spot price doubled during attack; observable if monitored]