The perils of DeFi: How a hacker lost $560,000 in cyberspace

Decentralized finance is a novel world. Here’s what happened when one large crypto investor tried to be too opportunistic—and it backfired.

By Robert Stevens

Mar 4, 2020

2 min read

This investor didn't quite get the result they were hoping for. Image: Shutterstock.

In Brief

An investor tried to manipulate a new smart contract on DeFi product iEarn for profit.
The iEarn developer enlisted a friend to return the funds, which he thought had been lost accidentally.
One other user gained $3,000 from the exploit.

A large investor, otherwise known as a whale, has lost a lot of money by trying to exploit a decentralized finance (DeFi) protocol.

Here’s what happened, according to DeFi Weekly: As part of a new upgrade, iEarn published some smart contracts, filled to the brim with stablecoins. But they hadn’t told anyone. Still, a rich user got wise, and thought they could manipulate those smart contracts to steal the stablecoins, which were held in the form of BUSD and USDT.

The whale tried manipulating the exchange rate between the two stablecoins. They deposited $146,000 into Curve and kept swapping between the coins. They made money by taking advantage of slippage.

Slippage occurs when large trades are made in a pool with low liquidity. The size of the trade massively affects the price of the tokens being traded, which can make trades less or more profitable—depending on which side of the trade you’re on.

The whale put $146,000 into the protocol. Then kept adding and withdrawing more money. By the end, they had $560,000 tied up in it—a mixture of their own money and other people’s.

And this is where it all went wrong.

The trades get reversed

Cronje was observing the trades at the time. He thought that someone had made a mistake and had accidentally lost their money. So, to solve the problem, he enlisted a rich friend to return the money in the pools back to the original owner.

But it didn't work. The long and short of it is that the whale ends up losing the $560,000, the majority of which went to Cronje’s rich friend. A third party, who also was trying to get involved in the scheme ended up taking home $3,500. For the developers among you, read the convoluted details here.

Cronje had only started building iEarn in January. Within weeks it was holding $8 million in its smart contracts. As a result of the community backlash, Cronje decided to let go of the project. Some members of the community have since apologized.

Will Cronje come back to the DeFi space? "Busy re-evaluating that question," he said. But if the community hounds all developers like this, there won't be a DeFi space for him to come back to.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.

Coin Prices