Value DeFi protocol suffers $6 million flash loan exploit

After a boast about the protocol’s resiliency, Value DeFi loses $6 million to exploit

Following a Twitter thread on Friday that highlighted the decentralized finance protocol’s flash loan exploit prevention methodology, Value DeFi appears to have been the victim of a $6 million flash loan exploit. 

At roughly 10:45 AM EST, a user took out a flashloan of 80,000 ETH (over $36 million) from lending protocol Aave. Aave developer Emilio Frangella immediately called attention to the loan:

The attacker then used the funds to conduct a flash loan arbitrage attack, targeting Value DeFi’s multi-stablecoin vault. The attacker deposited funds in the vault, arbitraged the funds between DAI and USDC, and exited with a multi-million payday. 

At 11:05, a statement in the community Discord acknowledged the exploit: 

We are aware of the current situation with the MultiStables vault. Please give us a bit time to check. Every other vaults and pools are working normally.

Shortly after the exploit, the attacker followed up with an Ethereum transaction that seemed to taunt the Value DeFi protocol with a message sent to the protocol’s deployer address:

“do you really know flashloan?”

The attacker paid $.31 in ETH from his profits to send the message.

At 12:12, the protocol said in a statement on Twitter that they were preparing a postmortem on the exploit, which they said led to a loss of $6 million for users: 

Since the attack, the the value of the $VALUE token has plunged over 25%, from 2.73 to 2.01 at press time. 

This exploit is just the latest in what has been a troubling week across the DeFi space that featured an attack on the Akropolis protocol. In a tweet Stani Kulechov of Aave signaled that the exploit is a sign of expanding attack vectors:

“Building resilient DeFi is becoming difficult.”