Verify a decision

{"actor":"system:backfill","investigation_id":"47882469-b5ed-42df-800b-ba3d06f5fe18","kind":"publish","page_slug":"yearn-dai-vault","published_at":"2026-05-31T07:00:27.148Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Yearn Finance DAI Vault Exploit","sections":[{"content":"On February 4, 2021, Yearn Finance's v1 yDAI vault suffered a flash loan exploit that resulted in approximately $11 million in losses to vault depositors. The attacker netted an estimated $2.8 million in profit while the remaining loss was distributed as fees to Curve liquidity providers, Curve stakers, and Aave v2 lenders. The exploit targeted a combination of loosened security parameters on the v1 vault that had been deliberately relaxed to facilitate user migration to Yearn's v2 vaults. Tether subsequently froze $1.7 million in USDT that the attacker had moved following the exploit. Yearn developer banteg publicly disclosed the attack, stating: 'Attacker got away with 2.8m, dai vault lost 11.1m.'","heading":"Exploit Overview","severity":"critical","sources":[{"credibility":1,"name":"Yearn Finance DAI Vault 'Has Suffered an Exploit'; $11M Drained — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2021/02/04/yearn-finance-dai-vault-has-suffered-an-exploit-11m-drained"},{"credibility":1,"name":"Yearn Finance Security Disclosure 2021-02-04 — GitHub","type":"official","url":"https://github.com/iearn-finance/yearn-security/blob/master/disclosures/2021-02-04.md"},{"credibility":2,"name":"Explained: Inside the Yearn v1 yDAI Hack (Feb 2021) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-yearn-v1-ydai-hack-feb-2021"}]},{"content":"The attacker assembled a large flash loan position spanning multiple protocols: approximately 116,000 ETH from dYdX and 99,000 ETH from Aave v2, which were used as collateral to borrow 134 million USDC and 129 million DAI on Compound Finance. The attacker then deposited 134 million USDC and 36 million DAI into Curve's 3pool and withdrew 165 million USDT, creating a severe token imbalance that distorted the DAI exchange rate reported by the pool. With the pool imbalanced, the attacker repeatedly called the v1 vault's earn() function, forcing the vault to deposit DAI into the 3pool at unfavorable rates. In each cycle, the vault deposited approximately 93 million DAI and received back only 92.3 million DAI upon withdrawal, leaving roughly 0.7 million DAI stranded per cycle. This three-step cycle — imbalance creation, unfavorable vault deposit, profit realization — was repeated eleven times across 38 minutes. Curve co-founder Michael Egorov confirmed that 'someone deposited a bunch to Curve 3pool to manipulate DAI price given by the pool...vault somehow was relying on the DAI price given by this pool.' The attacker ultimately withdrew their original loan principal plus an additional approximately 2.9 million DAI in profit before repaying flash loans.","heading":"Attack Mechanics","severity":"critical","sources":[{"credibility":1,"name":"Yearn Finance Security Disclosure 2021-02-04 — GitHub","type":"official","url":"https://github.com/iearn-finance/yearn-security/blob/master/disclosures/2021-02-04.md"},{"credibility":2,"name":"Explained: Inside the Yearn v1 yDAI Hack (Feb 2021) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-yearn-v1-ydai-hack-feb-2021"},{"credibility":2,"name":"$11 Million Drained Out of Yearn Finance in a Flash Loan Exploit — Finance Magnates","type":"news_article","url":"https://www.financemagnates.com/cryptocurrency/news/11-million-drained-out-of-yearn-finance-in-a-flash-loan-exploit/"}]},{"content":"Yearn's official post-mortem identified three configuration factors that, in combination, made the attack feasible. First, the yDAI vault's slippage protection was set to 1%, a tolerance wide enough to allow the attacker's repeated pool-manipulation cycles to inflict cumulative losses. Second, the vault's normal 0.5% withdrawal fee had been reduced to 0% to reduce friction for users migrating to v2 vaults; this lower fee made repeated exploit transactions economically viable by reducing per-cycle costs. Third, the v1 vault architecture allowed any external caller to invoke the earn() function, which immediately deposited vault holdings into the active strategy (the Curve 3pool). This unrestricted access was exploited to force vault deposits at the moment of maximum pool imbalance. None of these three factors alone would have enabled the exploit; their simultaneous presence created the attack surface. The v2 vault architecture addressed the permissioned earn() issue, and the deliberate parameter relaxation for migration purposes was not replicated in v2.","heading":"Root Causes and Contributing Vulnerabilities","severity":"high","sources":[{"credibility":1,"name":"Yearn Finance Security Disclosure 2021-02-04 — GitHub","type":"official","url":"https://github.com/iearn-finance/yearn-security/blob/master/disclosures/2021-02-04.md"},{"credibility":2,"name":"yearn.finance Reveals Details on Hack That Triggered $11 Million Loss — The Daily Hodl","type":"news_article","url":"https://dailyhodl.com/2021/02/07/yearn-finance-reveals-details-on-hack-that-triggered-11-million-loss/"},{"credibility":1,"name":"Curve Liquidity Providers See $3M Windfall from $11M Yearn.finance Exploit — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/curve-liquidity-providers-see-3m-windfall-from-11m-yearn-finance-exploit"}]},{"content":"Yearn's security team and multi-sig wallet signers responded to the exploit within approximately eleven minutes of the first malicious transaction. The primary mitigation was applying setMin(0) to the affected v1 vaults — specifically the DAI, USDC, USDT, and TUSD vaults — which disabled new deposits into the underlying strategies and prevented the attacker from executing further exploit cycles. This intervention halted the attack while approximately $24 million of the vault's $35 million total assets under management remained intact. Tether coordinated with Yearn and froze $1.7 million in USDT that the attacker had already moved, further limiting the attacker's realized gain. YFI token price dropped approximately $4,000 in the immediate aftermath of the public disclosure.","heading":"Incident Response and Mitigation","severity":"high","sources":[{"credibility":1,"name":"Yearn Finance DAI Vault 'Has Suffered an Exploit'; $11M Drained — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2021/02/04/yearn-finance-dai-vault-has-suffered-an-exploit-11m-drained"},{"credibility":2,"name":"Explained: Inside the Yearn v1 yDAI Hack (Feb 2021) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-yearn-v1-ydai-hack-feb-2021"},{"credibility":1,"name":"After Yearn Exploit, Attacker Funds Frozen and Reimbursement Plans Developing — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/after-yearn-exploit-attacker-funds-frozen-and-reimbursement-plans-developing"}]},{"content":"Yearn Finance committed to making affected depositors whole. To fund reimbursement without liquidating treasury assets, Yearn opened a MakerDAO Collateralized Debt Position (CDP) using YFI tokens held in the treasury as collateral and minted 9.7 million DAI against that position. These funds were deposited into the yDAI vault to restore its net asset value. Yearn stated that the outstanding MakerDAO debt would be repaid over time using fees generated by the protocol. Yearn explicitly characterized this as a one-time action and stated it would expect users in the future to manage their own risk by purchasing coverage through Yearn ecosystem partner Cover Protocol. Separately, Nexus Mutual processed 18 insurance claims related to the hack: 15 claims were approved with total payouts of approximately $2.317 million, and 4 claims were denied. One denied claim (Claim 92) was rejected specifically because the claimant had already been made whole through Yearn's direct reimbursement.","heading":"User Reimbursement","severity":"medium","sources":[{"credibility":2,"name":"Yearn Restores yDAI Vault and Compensates Hack Victims — The Defiant","type":"news_article","url":"https://thedefiant.io/news/defi/yearn-restores-ydai-vault-and-compensates-hack-victims"},{"credibility":1,"name":"Yearn.Finance Puts Expanded Treasury to Use by Repaying Victims of $11M Hack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/yearn-finance-puts-expanded-treasury-to-use-by-repaying-victims-of-11m-hack"},{"credibility":2,"name":"Yearn yDAI Hack Claims History — Nexus Mutual Documentation","type":"official","url":"https://docs.nexusmutual.io/overview/claims-history/yearn-2021/"}]},{"content":"The v1 yDAI vault had received multiple third-party security audits prior to the exploit. Quantstamp conducted a security review dated July 24, 2020, and MixBytes audited the Yearn.Finance protocol v1 smart contracts with a report dated November 5, 2020, finding no critical or major issues. Despite these audits, the configuration changes made to the v1 vault parameters in preparation for the v2 migration — specifically the relaxed slippage tolerance and zeroed withdrawal fee — were operational decisions made after audits were complete and were not covered by the published audit reports. The exploit did not stem from a code logic flaw identified in the audits, but from a combination of deliberately relaxed operational parameters and an architectural property of v1 vaults (unrestricted earn() access) that became exploitable under those relaxed conditions.","heading":"Audit Status at Time of Exploit","severity":"medium","sources":[{"credibility":1,"name":"Yearn Finance Audits Documentation — GitHub (yearn/yearn-docs)","type":"official","url":"https://github.com/yearn/yearn-docs/blob/master/resources/audits.md"},{"credibility":2,"name":"MixBytes Audit — Yearn.Finance Protocol V1 — GitHub","type":"official","url":"https://github.com/mixbytes/audits_public/blob/master/Yearn%20Finance/Yearn%20Protocol%20V1/README.md"},{"credibility":2,"name":"Quantstamp Yearn.Finance Security Review","type":"research","url":"https://quantstamp.com/blog/yearn-finance-security-review"}]},{"content":"Following the exploit, Yearn took several steps to improve security for its vault system. The v2 vault architecture addressed the unrestricted earn() call vulnerability by restricting who could trigger deposits into strategies. Yearn accelerated the deprecation of v1 vaults and the migration of users to v2 vaults. The team applied setMin(0) to all v1 vaults as an immediate containment measure. Yearn also publicly encouraged users to obtain DeFi insurance coverage and highlighted ecosystem partners such as Cover Protocol as risk-management tools. Over 2021, Yearn continued to expand its security audit program, engaging MixBytes for additional reviews of v2 vault contracts. The incident is frequently cited in DeFi security literature as an example of how operational parameter changes — even well-intentioned ones such as fee waivers for migration — can introduce exploitable attack surfaces that were absent at the time of formal audit.","heading":"Post-Exploit Security Improvements","severity":"low","sources":[{"credibility":1,"name":"Yearn Finance Security Disclosure 2021-02-04 — GitHub","type":"official","url":"https://github.com/iearn-finance/yearn-security/blob/master/disclosures/2021-02-04.md"},{"credibility":2,"name":"Yearn Finance Pushes DeFi Insurance Following Flash Loan Attack — BeInCrypto","type":"news_article","url":"https://beincrypto.com/yearn-finance-pushes-defi-insurance-flash-loan-attack/"},{"credibility":2,"name":"MixBytes Audit — Yearn Vaults V2 — GitHub","type":"official","url":"https://github.com/mixbytes/audits_public/blob/master/Yearn%20Finance/Vault%20V2%20(Solidity%20part)/README.md"}]}],"sources_used":[{"name":"Yearn Finance Security Disclosure 2021-02-04 — GitHub","type":"official","url":"https://github.com/iearn-finance/yearn-security/blob/master/disclosures/2021-02-04.md"},{"name":"Yearn Finance DAI Vault 'Has Suffered an Exploit'; $11M Drained — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2021/02/04/yearn-finance-dai-vault-has-suffered-an-exploit-11m-drained"},{"name":"Explained: Inside the Yearn v1 yDAI Hack (Feb 2021) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-yearn-v1-ydai-hack-feb-2021"},{"name":"Yearn.Finance Puts Expanded Treasury to Use by Repaying Victims of $11M Hack — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/yearn-finance-puts-expanded-treasury-to-use-by-repaying-victims-of-11m-hack"},{"name":"Curve Liquidity Providers See $3M Windfall from $11M Yearn.finance Exploit — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/curve-liquidity-providers-see-3m-windfall-from-11m-yearn-finance-exploit"},{"name":"Yearn Restores yDAI Vault and Compensates Hack Victims — The Defiant","type":"news_article","url":"https://thedefiant.io/news/defi/yearn-restores-ydai-vault-and-compensates-hack-victims"},{"name":"After Yearn Exploit, Attacker Funds Frozen and Reimbursement Plans Developing — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/after-yearn-exploit-attacker-funds-frozen-and-reimbursement-plans-developing"},{"name":"Yearn yDAI Hack Claims History — Nexus Mutual Documentation","type":"official","url":"https://docs.nexusmutual.io/overview/claims-history/yearn-2021/"},{"name":"Yearn Finance Audits Documentation — GitHub (yearn/yearn-docs)","type":"official","url":"https://github.com/yearn/yearn-docs/blob/master/resources/audits.md"},{"name":"MixBytes Audit — Yearn.Finance Protocol V1 — GitHub","type":"official","url":"https://github.com/mixbytes/audits_public/blob/master/Yearn%20Finance/Yearn%20Protocol%20V1/README.md"},{"name":"Quantstamp Yearn.Finance Security Review","type":"research","url":"https://quantstamp.com/blog/yearn-finance-security-review"},{"name":"$11 Million Drained Out of Yearn Finance in a Flash Loan Exploit — Finance Magnates","type":"news_article","url":"https://www.financemagnates.com/cryptocurrency/news/11-million-drained-out-of-yearn-finance-in-a-flash-loan-exploit/"},{"name":"yearn.finance Reveals Details on Hack That Triggered $11 Million Loss — The Daily Hodl","type":"news_article","url":"https://dailyhodl.com/2021/02/07/yearn-finance-reveals-details-on-hack-that-triggered-11-million-loss/"}],"summary":"On February 4, 2021, an attacker exploited Yearn Finance's v1 yDAI vault using a multi-protocol flash loan to manipulate exchange rates in Curve Finance's 3pool, causing approximately $11 million in vault losses while the attacker personally profited roughly $2.8 million. Yearn Finance's security team contained the exploit within eleven minutes, preserving $24 million of the vault's $35 million under management. Yearn subsequently reimbursed affected depositors by minting 9.7 million DAI against YFI collateral in a MakerDAO vault, with the intent to repay the debt from ongoing protocol revenue.","timeline":[{"date":"2020-07-24","event":"Quantstamp completes security review of Yearn.Finance v1 smart contracts.","source":"Quantstamp Blog","source_url":"https://quantstamp.com/blog/yearn-finance-security-review"},{"date":"2020-11-05","event":"MixBytes completes audit of Yearn.Finance protocol v1 smart contracts, finding no critical or major issues.","source":"MixBytes Audits — GitHub","source_url":"https://github.com/mixbytes/audits_public/blob/master/Yearn%20Finance/Yearn%20Protocol%20V1/README.md"},{"date":"2021-02-04","event":"Attacker begins exploit of yDAI v1 vault using flash loans from dYdX and Aave v2, borrowing against Compound to manipulate Curve 3pool exchange rates. The attack repeats across 11 transactions over approximately 38 minutes.","source":"Yearn Finance Security Disclosure — GitHub","source_url":"https://github.com/iearn-finance/yearn-security/blob/master/disclosures/2021-02-04.md"},{"date":"2021-02-04","event":"Yearn security team responds within 11 minutes of detecting the attack, applying setMin(0) to DAI, USDC, USDT, and TUSD v1 vaults, halting further exploit cycles. Total vault loss: approximately $11 million. Attacker profit: approximately $2.8 million. Protected: approximately $24 million.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2021/02/04/yearn-finance-dai-vault-has-suffered-an-exploit-11m-drained"},{"date":"2021-02-04","event":"Tether freezes $1.7 million in USDT moved by the attacker.","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/after-yearn-exploit-attacker-funds-frozen-and-reimbursement-plans-developing"},{"date":"2021-02-05","event":"Yearn Finance publishes detailed post-mortem identifying three root causes: 1% slippage tolerance, 0% withdrawal fee, and unrestricted earn() access.","source":"Yearn Finance Security Disclosure — GitHub","source_url":"https://github.com/iearn-finance/yearn-security/blob/master/disclosures/2021-02-04.md"},{"date":"2021-02-08","event":"Yearn announces plan to make vault depositors whole by opening a MakerDAO CDP with YFI treasury collateral to mint 9.7 million DAI, restoring the vault's net asset value.","source":"The Defiant","source_url":"https://thedefiant.io/news/defi/yearn-restores-ydai-vault-and-compensates-hack-victims"},{"date":"2021-02-08","event":"Nexus Mutual begins processing 18 insurance claims related to the yDAI hack. Ultimately 15 are approved for a total payout of approximately $2.317 million.","source":"Nexus Mutual Documentation","source_url":"https://docs.nexusmutual.io/overview/claims-history/yearn-2021/"}]},"v":1}