defirisk.co
rubric v1.7.0

Yearn Finance (yDAI v1 vault): Flash loan + Curve 3pool spot price manipulation → vault share price arbitrage → DAI drain during migration

Yearn's yDAI vault lost $11M when attackers exploited a migration window where withdrawal fees were zeroed — flash loans turned a routine vault migration into a $2.7M payday.

Occurred 2021-02-04 Loss $11M Status closed

Summary #

Yearn Finance (yDAI v1 vault) suffered a Yield Aggregator / Vault on 2021-02-04, resulting in a loss of approximately $11M.

What happened #

Yearn's yDAI vault lost $11M when attackers exploited a migration window where withdrawal fees were zeroed — flash loans turned a routine vault migration into a $2.7M payday.

Linked factors #

  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the vulnerability was enabled by a configuration change (migration fee removal), not a new deployment] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the vulnerability was enabled by a configuration change (migration fee removal), not a new deployment]
  • RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown at time of exploit]
  • RD-F-078 — causal : Chronic flag (≥3 prior exploits) [via cross-hack: Factor 59: Three-or-More Exploit History]
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Repeated flash loans from dYdX + Aave; massive Compound borrows; dramatic Curve 3pool composition shifts; repeated yDAI vault deposits/withd...]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — the Curve 3pool composition was severely distorted during the attack, which would appear as extreme price deviation on any in-block orac...]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 116K ETH flash from dYdX + 99K ETH from Aave + 134M USDC + 129M DAI from Compound is one of the largest coordinated flash borrowing even...]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — the withdrawal fee had been explicitly disabled by the team for vault migration; this configuration change was the necessary preconditio...]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the vulnerability was enabled by a configuration change (migration fee removal), not a new deployment]