The latest "test in prod" experiment from Yearn founder Andre Cronje has many degen traders questioning their YOLO nature following a flash loan attack of contracts that hadn’t been officially released to the public yesterday afternoon.
Eminence Finance, an NFT gaming ecosystem that was still in development, was exploited by a hacker who stole $15M after traders rushed to farm EMN - a token meant to act as a reward stablecoin with zero inherent value.
“It's a flat currency, not a token,” Cronje commented in a private group. “Meant for non speculative ingame purchases only.”
There was no official announcement on the launch or public website. All it took was an eminence.finance Twitter account, cryptic tweets, and Cronje’s retweets, for traders to find the contracts and flood into the mysterious protocol, hoping to get in early on "the next YFI."
The contracts were about 3 weeks from completion by Cronje’s account and hadn’t been properly tested and secured. This gave one savvy hacker the opportunity to use a flash loan to drain the pool of all its funds less than three hours after the project went viral on Crypto Twitter.
A Series of Unfortunate Events
A flurry of activity rose around the release of Eminence Finance after a public Twitter account showcasing different factions or teams for popular DeFi protocols like Chainlink "Marines"’ and Synthetix "Spartans" was unveiled and retweeted by Cronje.
Once confirmed as being deployed from the primary Yearn address, many were quick to start interacting with the contract, depositing DAI to mint EMN directly through the contract prior to a front-end being available. It’s important to highlight, this wasn’t just unaudited code like the case of Sushi or Yam; there was no information or even a front-end. Nobody knew exactly what the project was. All there was were a few speculative tweets.
The premise of an NFT-based Battle Royale incubated by Cronje was enough to get degens excited, with many blindly deploying funds in a term coined as "aping"—or rushing to throw money into an unaudited smart contract.
As degens began to flock into the faction of their choosing, a hacker was able to use a flash loan to mint EMN on a tight bonding curve to increase the price. For every EMN minted, the price would increase incrementally along the curve. As the price increased, the hacker burned EMN for any of the wrapped eTokens—Eminence’s native versions of popular DeFi tokens like Aave - to cause a large supply drop and increase the token price dramatically.
This gap allowed the hacker to acquire large sums of EMN and then sell the other tokens to recursively cash in DAI profits.
Image source: Banteg
15 Million Dai
In total, nearly 15M of DAI was siphoned in the process, leaving virtually all participants with nothing but a lesson in diligence to show.
Luckily for those affected, the hacker has graciously returned $8M of lost funds, good for a forthcoming 50% refund as per balances taken at a snapshot the block before the hack took place.
Now, many are left to theorize why any funds were returned at all, and whether or not this exploit marks the death of Eminence Finance before it ever began.
Risk of Unaudited Code
Cronje has signaled that the experiment is beyond recovery. Despite a fascinating premise, Andre’s diehard following has taken testing in prod over the edge, showing that not all unaudited contracts are exploit-free.
While this is certainly not the last experiment from Cronje, let Eminence show that until there is an official Medium post about a project the DeFi rockstar is affiliated with, these contracts are not meant to be toyed with.
[This story was written and edited by our friends at The Defiant, and also appeared in its daily email. The content platform focuses on decentralized finance and the open economy and is sharing stories we think will interest our readers. You can subscribe to it here.]