Decentralized stablecoin exchange Curve Finance reported a vulnerability this morning that affects a new trading pool involving yield aggregator project Yearn Finance. The exploited pool was quickly shut down to prevent an incident.
Curve allows users to swap between US dollar-pegged stablecoins (such as USDC, DAI, and USDT) with extremely low fees and slippage. The liquidity, or the amount of funds in Curve, is wholly supplied by users who earn yields on an annual basis in return—from the interest charged to borrowers of stablecoins from Curve.
Since its launch in 2020, the project has been stable with no major technical issues so far. But that record was tainted today. “We have discovered an issue with the new yVault2 (Yearn Finance) pool. The pool has been killed in order to protect LPs. All funds are safe,” the project said.
It added that all locked up funds would be returned to the liquidity providers (the addresses which supplied the funds) automatically.
We have discovered an issue with the new yv2 (@iearnfinance) pool. The pool has been killed in order to protect LPs.
All funds are safe. Deposits will be sent directly to liquidity providers' wallets, no further action is required to withdraw.
— Curve Finance (@CurveFinance) February 8, 2021
Yearn Finance (YFI) is a yield aggregator, meaning it automatically supplies user funds to other yield-generating protocols, exchanges, and wallets, cutting out the need for a user to individually manage the complexity of the so-termed decentralized finance (DeFi) space.
All users locking up their funds on Yearn get a “y” branded token in return—a tokenized representation of their locked up asset. For example, a user depositing USDT into Yearn gets yUSDT in return, which can further be used on other protocols to earn yields (based on Yearn’s own strategy) or swapped for another cryptocurrency.
Such an arrangement is called a “vault,” with a “v1” and a “v2” token (based on the two vaults that charge different fees and use different strategies) given out to users based on the assets they deposited.
Today’s issue on Curve saw the “v2” pool get exploited, with the team confirming that the issue was not a fundamental problem, but instead a technical one. The team told Decrypt that there would be a forthcoming post-mortem.
Meanwhile, the issue was the second recent involving Yearn. Last week saw the “v1 yDAI vault” exploited by a sophisticated hacker, resulting in the DAI vault losing over $11 million. The attacker made away with $2.8 million, and YFI fell over $4,000 minutes after the news.