Value DeFi, a decentralized finance protocol that was hacked for $6 million worth of DAI via a flash loan taken out for 80,000 ETH on the Aave protocol, has offered the hacker $1 million in DAI as a bounty for them to return funds to their users.
Data from the Ethereum blockchain shows that the hacker took out a flash loan for 80,000 ether on Aave and used the funds to exploit Value DeFi’s MultiStables vault and steal over 6 million DAI in the process. Flash loans, it’s worth noting, do not require collateral as they are repaid in the same transaction they are taken in.
The hacker left a provocative message on the transaction that took the loan, asking Value DeFi’s team “do you really know flashloan?” The message referenced a tweet from Value DeFi’s team claiming it had flash loan attack protections.
In a post-mortem, Value DeFi revealed that the attack targeted a new vault that used unaudited code and took advantage of two vulnerabilities: users deposits on the Vault didn’t check the smart contract “at the Bank layer,” and as a result took advantage of a feature implemented without considering flash loans, as the first vulnerability was not supposed to be there.
Reacting to the vulnerability, Value DeFi halted deposits to the MultiStables Vaults, and snapshotted depositors’ balance before the attack to calculate compensation amounts. Future releases, Value DeFi’s team added, will be “heavily audited from Public Auditors and from public solidity devs.”
Value DeFi’s team revealed in the report it reached out to the hacker on the Ethereum blockchain, offering a bounty for the return of the funds to its users. In their message, they wrote:
Point well-proven! Clearly we were not as knowledgable [sic] as we thought we were. How about 1mil DAI as a bounty and you return the remaining DAI back to our affected users. We have a plan to make whole all those affected in our community, and this would accelerate the process.
Users will be able to withdraw 28.24% of their initial deposit, and can claim an additional 20% from 2 million DAI returned by the hacker.
To compensate users, a compensation fund will be created by increasing performance fees and swap fees, from 14% and 30% to 20% and 50% respectively. To reimburse users an IOU token will be created at a 1:1 ratio “for every dollar lost by affected farmers,” and it will “auto accrue 10% APY.”
That means if you hold 1 IOU token, next week you will have approximately 1.0019 IOU token automatically. The compensation fund will be used to buy back all IOU tokens to remain the peg of 1$ and burn all the bought IOU token
The team, at the end of the report, reiterated that “all teams within this space [DeFi] are pioneering very risky technology.”
Featured image via Pixabay.