Author: Kojima, former Google engineer, founder of Y3D

Memento te hominem esse: Remember that you are only one person.

— A Brief History of the Languages ​​of the World, oft-quoted Latin quotes

This is not the first time Andre's car has been overturned. Earlier this year, when Andre was just starting to build yCrv, there was an accident, which caused an early user to lose $140,000.

• Medium, Andre Cronje, Post mortem 28–02–2020

• Medium, Andre Cronje, Post Mortem of the Post Mortem

After this incident, Andre's top tweet was the famous Disclaimer.

And just in the middle of this month, YFI’s community project SAFE also had insider trading, and bought a large insurance policy in advance. Although it is not Andre's direct responsibility, it still has a certain impact on the YFI community.

• The founder of DeFi insurance mining project yieldfarming.insure disclosed the dishonesty of project member Azeem Ahmed

The accident that happened yesterday was far more serious than the previous accidents, both in terms of the amount of loss and the number of people affected. And the principle of the accident is also simpler, it can be used as an introductory tutorial for Flashloan. So much so that Andre couldn't write a decent Postmortem to explain it.

Principle of accident

authorauthor, saying that this type of attack will become the "New Normal" in DeFi development.

• Flash Loans: Why Flash Attacks will be the New Normal

• Lasse Clausen, The second @bZxHQ exploit was the first significant economic hack of the space

accident contract

https://etherscan.io/address/0x5ade7ae8660293f2ebfcefaba91d141d72d221e8

https://etherscan.io/address/0xc08f38f43adb64d16fe9f9efcc2949d9eddec198#code

hacker address

https://etherscan.io/tx/0x3503253131644dd9f52802d071de74e456570374d586ddd640159cf6fb9b8ad8

We can see that the hacker initiated a total of three Create Contract operations, and returned half of them after succeeding again🤦♀️. (A good job is rewarded...)

Let's look at some specific cases of victims, such as this old manSpent 390 ETH to buy EMN, an hour later onlySold 1 back。

Another example is the status of this tweeted brother @spzcrypto who was still retweeting @eminencefi a few hours ago. Got rekt for the next tweet.

It doesn't look like acting at all, and there must be many similar victims.

Although the attack contract is not open source, but observing the inline transfer of these tx, we can see that this is a standard flash loan⚡️ process and it is easy to restore the attack principle. The following thread describes the attack process in detail:

https://twitter.com/bkiepuszewski/status/1310901151311835136

If you're confused about how the hacker managed to drain the $EMN contract, here's the exact mechanism. The EMN contract allows you to use DAI as a reserve to mint EMN. It uses a standard Bancor-like curve - DAI is used as the reserve currency for EMN, and the price of EMN tokens is determined by the amount of EMN versus the amount in the reserve currency. The second token, eAAVE is similar, with one small but important difference - it uses EMN as a reserve currency, but is "virtual" - if you mint eAAVE by sending it EMN tokens, Instead of storing your EMN in the reserve, the eAAVE contract actually burns the EMN. This interplay allows an attacker to make the following transactions (all atomically in one transaction - aka flash loans ⚡️).

The following is the complete attack process:

• Flash loan ⚡️ 15m DAI from Uniswap.

• Mint as much EMN as possible with your DAI (ignore the price).

• Mint eAAVE with half of EMN. This will consume EMN, reducing the total supply and thus driving up the price of EMN.

• Sell ​​the second half of your EMN for 10m (note that this is much more than the principal amount of 7.5m in DAI).

• Sell ​​your eAAVE now, get back your first half of EMN, and reduce the price of EMN.

• Sell ​​back your first half of EMN for 6.649m.

• Return the 15m flash loan to Uniswap ⚡️ and enjoy a profit of 1.67m.

• Repeat the above strategy three times.

Follow up

Follow up

The currency price of YFI was implicated in this accident, and fell 16% yesterday.

Andre himself also said that he has received personal threats from many victims (DeFi Xu Yuanxuan?). Then Andre said that he would permanently seal his long-used legendary account Yearn.Deployer, and would no longer use Twitter Shill's own new project.

As I am receiving a fair amount of threats, I have asked yearn treasury to assist with refunding the 8m the hacker sent.

—— https://twitter.com/AndreCronjeTech/status/1310774715359924228

Thank you for the feedback today. I have read two primary criticism and both seem to be related to the public nature of this twitter account and the public nature of my ETH address. Going forward, I will not use either for new projects I am working on.

—— https://twitter.com/AndreCronjeTech/status/1310864406000041984

At the same time, Andre also lost his right-hand man, YFI community KOL, @Bluekirby, who was the first to shill and witnessed the whole process of being hacked, said that he would resign from the YFI community.

References

References

YFI plummeted 12%, founder Andre's new project Eminence was hacked