Verify a decision

{"actor":"system:backfill","investigation_id":"094fdec1-df48-41eb-bb8c-ccc44f323d0c","kind":"publish","page_slug":"value-defi","published_at":"2026-05-31T07:00:19.804Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Value DeFi Protocol","sections":[{"content":"On November 14, 2020, at approximately 3:36 PM UTC, an unknown attacker drained approximately $7.4 million in DAI from Value DeFi's MultiStables vault, returning $2 million and retaining roughly $5.4–6 million in net profit. The attack occurred less than 24 hours after Value DeFi published a now-deleted tweet claiming the protocol had the 'highest security' and was capable of preventing flash loan attacks. The attacker exploited two vulnerabilities: the vault's deposit function did not check for smart contract callers at the bank layer, and the convert_rate_xxx_to_3crv() function lacked flash loan protections. Using flash loans sourced from Aave (80,000 ETH) and Uniswap (approximately $116 million in DAI), the attacker manipulated Curve's 3pool stablecoin prices, causing a disproportionate calculation of 3Crv tokens on withdrawal — depositing 25 million DAI but redeeming approximately 33 million DAI in 3Crv. The attacker returned $2 million in DAI to the protocol along with a taunting on-chain message reading 'do you really know flashloan?' as documented in PeckShield's root cause analysis. The protocol's VALUE governance token dropped approximately 27–30% in the hours following the attack. Value DeFi's post-mortem acknowledged the vulnerabilities and committed to auditing Vault v2 before release, while creating an IOU token compensation mechanism for affected users.","heading":"November 14, 2020 Flash Loan Exploit (MultiStables Vault)","severity":"critical","sources":[{"credibility":2,"name":"Value DeFi MultiStables Vault Exploit Post-Mortem (Medium)","type":"official","url":"https://valuedefi.medium.com/multistables-vault-exploit-post-mortem-d11b0635788f"},{"credibility":2,"name":"Value DeFi Incident: Root Cause Analysis — PeckShield (Medium)","type":"research","url":"https://peckshield.medium.com/value-defi-incident-root-cause-analysis-fbab71faf373"},{"credibility":1,"name":"Value DeFi Suffers $6M Flash Loan Attack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2020/11/14/value-defi-suffers-6m-flash-loan-attack/"},{"credibility":2,"name":"DeFi Protocol That Bragged About Having Flash Loan Attack Prevention Hacked for $6 Million — Bitcoin News","type":"news_article","url":"https://news.bitcoin.com/defi-protocol-bragged-having-flash-loan-attack-prevention-hacked-6-million/"},{"credibility":2,"name":"Value DeFi — REKT (rekt.news)","type":"research","url":"https://rekt.news/value-defi-rekt"}]},{"content":"Following the November 14 exploit, Value DeFi identified centralized price oracle reliance on Curve's AMM spot price as a core vulnerability. The protocol had used Curve's AMM-based oracle to measure asset prices, a design susceptible to flash loan manipulation because prices could be artificially moved within a single transaction. The exploit demonstrated that an attacker with sufficient capital could temporarily distort the 3pool's exchange rates, causing the vault's internal accounting to award disproportionate 3Crv tokens on withdrawal. In response, Value DeFi announced an integration with Chainlink's decentralized oracle network, citing Chainlink as 'the best oracle solution capable of mitigating flash loan attacks.' Chainlink co-founder Sergey Nazarov publicly commented that 'the core of the issue is price oracle security,' and warned that oracle manipulation attacks would increase as DeFi TVL grew. This oracle migration was described as the primary remediation, though it did not prevent subsequent exploits on the protocol.","heading":"November 2020 Oracle Manipulation and Chainlink Response","severity":"high","sources":[{"credibility":2,"name":"After $6 Million Hack, Value DeFi Turns to Chainlink for Help — Decrypt","type":"news_article","url":"https://decrypt.co/48892/value-defi-hacked-chainlink"},{"credibility":2,"name":"Value DeFi Incident: Root Cause Analysis — PeckShield (Medium)","type":"research","url":"https://peckshield.medium.com/value-defi-incident-root-cause-analysis-fbab71faf373"}]},{"content":"On May 5, 2021, Value DeFi suffered a second major security incident, this time on Binance Smart Chain, resulting in an alleged loss of approximately $10 million. The exploit targeted the profit-sharing vStake pool and stemmed from a missing line of code: the initialize() function lacked the statement 'initialized = true,' which allowed any actor to re-initialize the pool and assign themselves the operator role. The attacker used this privilege to call the governanceRecoverUnsupported() function — a legitimate recovery mechanism intended for emergency use — to drain 10,839.16 vBWAP/BUSD LP tokens, subsequently converting them to approximately 7,342.75 vBSWAP and 205,659 BUSD. The team attributed the bug to 'human error' during a code migration: 'the code was not written from scratch but migrated from the old implementation of the Value DeFi Reserve Fund. When merging the code, the line was not included.' This class of vulnerability — a missing initialization guard — is considered a basic smart contract security flaw. The incident was catalogued by rekt.news.","heading":"May 5, 2021 vStake Pool Re-initialization Exploit","severity":"critical","sources":[{"credibility":2,"name":"Value DeFi — REKT 2 (rekt.news)","type":"research","url":"https://rekt.news/value-rekt2"},{"credibility":2,"name":"07 May 2021 Value DeFi Incident — Iron Finance (Medium)","type":"official","url":"https://ironfinance.medium.com/07-may-2021-value-defi-incident-part-1-b4f2a7a1a2b2"},{"credibility":3,"name":"May 2021 Value DeFi On Sale Again — Quadriga Initiative","type":"research","url":"https://www.quadrigainitiative.com/hackfraudscam/valuedefionsaleagain.php"}]},{"content":"Three days after the vStake exploit, on May 8, 2021, Value DeFi's vSwap module on Binance Smart Chain was exploited via a separate flash loan vulnerability. According to SlowMist's analysis, the attack exploited a flaw in the ensureConstantValue validation function. When the tokenWeight0 parameter was set to 70, a secondary inspection algorithm was triggered that had inadequate validation logic. By initiating a small swap (0.05 WBNB for vBSWAP), the attacker could execute a flash loan such that the vSwap contract transferred vBSWAP and WBNB to the attacker while the security check passed due to a permitted 'huge fluctuation range' in cached vs. real-time token values. The attacker was able to repeat this sequence across multiple vSwap pools, draining their liquidity. The specific dollar amount from this vSwap exploit was not separately quantified in available sources; it is included in aggregate loss estimates for May 2021. The two May 2021 exploits combined caused Value DeFi to become, as noted by rekt.news, the first protocol to appear twice on the REKT leaderboard.","heading":"May 8, 2021 vSwap Module Flash Loan Exploit","severity":"critical","sources":[{"credibility":2,"name":"SlowMist: Value DeFi vSwap Module Hack Analysis (Medium)","type":"research","url":"https://slowmist.medium.com/slowmist-value-defi-vswap-module-hack-analysis-64e8909ef6a2"},{"credibility":2,"name":"Value DeFi — REKT 2 (rekt.news)","type":"research","url":"https://rekt.news/value-rekt2"}]},{"content":"Value DeFi Protocol launched in 2020 as a multi-product DeFi suite operating on both Ethereum mainnet and Binance Smart Chain. Its primary products included: vSafe (automated yield aggregator vaults using multiple strategies and auto-compounding), vSwap (an AMM-based decentralized exchange with customizable pool ratios and swap fees), vFarm (liquidity mining pools), vPegSwap (a Curve StableSwap-style implementation for pegged assets), Farms-as-a-Service (FaaS, a self-service liquidity mining tool available to third-party projects), and vGovernance (staking of the VALUE token for protocol governance and revenue sharing). The vSafe product was designed to allow smart contracts full custody of user capital to enable automated strategy rebalancing and compounding. The MultiStables vault — the target of the first exploit — was launched on November 13, 2020, and exploited within hours of launch. The exploit was later attributed partly to the vault having not been independently audited prior to deployment. Subsequent vBSWAP incentive additions and cross-chain expansion to BSC introduced additional attack surface.","heading":"Protocol Architecture and Product Overview","severity":"medium","sources":[{"credibility":2,"name":"vSafe — Value DeFi Protocol Documentation","type":"official","url":"https://docs.valuedefi.io/products/vSafes"},{"credibility":3,"name":"The Beginner's Guide to Value DeFi — Frontier Protocols","type":"other","url":"https://frontierprotocols.com/beginners-guide-to-value-defi/"},{"credibility":2,"name":"Value DeFi MultiStables Vault Exploit Post-Mortem (Medium)","type":"official","url":"https://valuedefi.medium.com/multistables-vault-exploit-post-mortem-d11b0635788f"}]},{"content":"Value DeFi publicly advertised multiple security features prior to its first exploit, including flash loan attack prevention, fake-token attack prevention, and re-entrancy attack prevention. A tweet published November 13, 2020 — later deleted — claimed the protocol possessed the 'highest security.' The MultiStables vault that was exploited the following day had not undergone an independent audit before launch, according to the team's own post-mortem. The attacker's on-chain taunt — 'do you really know flashloan?' — drew widespread attention to the gap between the protocol's stated security posture and its actual implementation. Following the first exploit, the team committed to auditing vault contracts before release and migrated to Chainlink oracles. Despite these remediation steps, two additional exploits followed within six months, one caused by a missing initialization guard (a basic coding error) and one by an insufficiently validated inspection function in vSwap. The combination of prior security claims and repeated fundamental vulnerabilities in different contract modules is broadly considered a significant indicator of inadequate security practices.","heading":"Security Claims vs. Track Record","severity":"high","sources":[{"credibility":2,"name":"DeFi Protocol That Bragged About Having Flash Loan Attack Prevention Hacked for $6 Million — Bitcoin News","type":"news_article","url":"https://news.bitcoin.com/defi-protocol-bragged-having-flash-loan-attack-prevention-hacked-6-million/"},{"credibility":2,"name":"Value DeFi MultiStables Vault Exploit Post-Mortem (Medium)","type":"official","url":"https://valuedefi.medium.com/multistables-vault-exploit-post-mortem-d11b0635788f"},{"credibility":2,"name":"Value DeFi Incident: Root Cause Analysis — PeckShield (Medium)","type":"research","url":"https://peckshield.medium.com/value-defi-incident-root-cause-analysis-fbab71faf373"}]},{"content":"The founding team of Value DeFi Protocol has not been publicly identified by name in any available Tier 1 or Tier 2 sources reviewed for this investigation. The GitHub organization (github.com/valuedefi) lists no public members. Official communication was conducted via the @value_defi Twitter/X account and the protocol's Medium blog, neither of which attributed authorship to named individuals. An anonymous or pseudonymous team structure is a recognized risk factor in DeFi, as it limits accountability in the event of exploits, mismanagement, or fund recovery disputes. The team did respond publicly to each exploit through blog posts and Twitter, but the absence of named individuals means no identified party has been held accountable for the security failures that resulted in approximately $23 million in aggregate user losses.","heading":"Team Anonymity and Accountability","severity":"high","sources":[{"credibility":2,"name":"valuedefi GitHub Organization","type":"official","url":"https://github.com/valuedefi"},{"credibility":2,"name":"Value DeFi (@value_defi) on X","type":"official","url":"https://twitter.com/value_defi"}]},{"content":"Following the November 14, 2020 exploit, the attacker voluntarily returned $2 million of the approximately $7.4 million taken. Value DeFi announced that affected users could claim 20% compensation in DAI from the returned funds. The team also created an IOU token mechanism designed to distribute compensation over time, with performance fees (20%) and swap fees (50%) earmarked toward repayment, and the IOU accruing a 10% APY through a rebase mechanism. For the May 2021 vStake exploit, available sources do not document a comparable recovery or compensation plan. The total known voluntary return across all incidents is the $2 million from the November 2020 attacker. Aggregate net losses after recovery are estimated at approximately $21 million across the three documented incidents, though individual incident amounts and recovery figures vary across sources and should be treated as approximate.","heading":"Compensation and Fund Recovery","severity":"high","sources":[{"credibility":2,"name":"Value DeFi MultiStables Vault Exploit Post-Mortem (Medium)","type":"official","url":"https://valuedefi.medium.com/multistables-vault-exploit-post-mortem-d11b0635788f"},{"credibility":2,"name":"Saddest Hack in Crypto: Value DeFi Hacked for $6 Million — Decrypt","type":"news_article","url":"https://decrypt.co/48256/saddest-hack-in-crypto-value-defi-hacked-for-6-million"}]}],"sources_used":[{"name":"Value DeFi Suffers $6M Flash Loan Attack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2020/11/14/value-defi-suffers-6m-flash-loan-attack/"},{"name":"DeFi Protocol That Bragged About Having Flash Loan Attack Prevention Hacked for $6 Million — Bitcoin News","type":"news_article","url":"https://news.bitcoin.com/defi-protocol-bragged-having-flash-loan-attack-prevention-hacked-6-million/"},{"name":"Value DeFi Incident: Root Cause Analysis — PeckShield (Medium)","type":"research","url":"https://peckshield.medium.com/value-defi-incident-root-cause-analysis-fbab71faf373"},{"name":"Value DeFi MultiStables Vault Exploit Post-Mortem — Value DeFi (Medium)","type":"official","url":"https://valuedefi.medium.com/multistables-vault-exploit-post-mortem-d11b0635788f"},{"name":"After $6 Million Hack, Value DeFi Turns to Chainlink for Help — Decrypt","type":"news_article","url":"https://decrypt.co/48892/value-defi-hacked-chainlink"},{"name":"Saddest Hack in Crypto: Value DeFi Hacked for $6 Million — Decrypt","type":"news_article","url":"https://decrypt.co/48256/saddest-hack-in-crypto-value-defi-hacked-for-6-million"},{"name":"Value DeFi — REKT (rekt.news)","type":"research","url":"https://rekt.news/value-defi-rekt"},{"name":"Value DeFi — REKT 2 (rekt.news)","type":"research","url":"https://rekt.news/value-rekt2"},{"name":"SlowMist: Value DeFi vSwap Module Hack Analysis (Medium)","type":"research","url":"https://slowmist.medium.com/slowmist-value-defi-vswap-module-hack-analysis-64e8909ef6a2"},{"name":"07 May 2021 Value DeFi Incident — Iron Finance (Medium)","type":"official","url":"https://ironfinance.medium.com/07-may-2021-value-defi-incident-part-1-b4f2a7a1a2b2"},{"name":"vSafe — Value DeFi Protocol Documentation","type":"official","url":"https://docs.valuedefi.io/products/vSafes"},{"name":"Value DeFi exploited for $6 million with 2 flash loans Aave and Uniswap — CryptoTips","type":"news_article","url":"https://cryptotips.eu/en/news/value-defi-exploited-for-6-million-with-2-flash-loans-from-aave-and-uniswap/"},{"name":"Value DeFi Protocol — Official Website","type":"official","url":"https://valuedefi.io/"},{"name":"valuedefi GitHub Organization","type":"official","url":"https://github.com/valuedefi"}],"summary":"Value DeFi Protocol is a yield aggregation and automated market-making platform that operated on Ethereum and Binance Smart Chain, offering products including vSafe vaults, vSwap, and governance staking. The protocol suffered at least three major security exploits between November 2020 and May 2021, resulting in a combined estimated loss of approximately $23 million across multiple incidents. The protocol is notably remembered for having publicly claimed flash loan attack prevention the day before its first and most publicized exploit.","timeline":[{"date":"2020-11-13","event":"Value DeFi published a tweet (later deleted) claiming the protocol had the 'highest security' and was capable of preventing flash loan attacks. The MultiStables vault was launched.","source":"Bitcoin News","source_url":"https://news.bitcoin.com/defi-protocol-bragged-having-flash-loan-attack-prevention-hacked-6-million/"},{"date":"2020-11-14","event":"Flash loan exploit drained approximately $7.4 million in DAI from the MultiStables vault. Attacker used 80,000 ETH from Aave and ~$116 million DAI from Uniswap to manipulate Curve 3pool oracle prices. Attacker returned $2 million and left on-chain message: 'do you really know flashloan?'","source":"CoinDesk / PeckShield","source_url":"https://www.coindesk.com/markets/2020/11/14/value-defi-suffers-6m-flash-loan-attack/"},{"date":"2020-11-14","event":"VALUE governance token price dropped approximately 27–30% following exploit news.","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2020/11/14/value-defi-suffers-6m-flash-loan-attack/"},{"date":"2020-11-15","event":"Value DeFi published official post-mortem acknowledging two root cause vulnerabilities, halted MultiStables vault deposits, and announced IOU compensation mechanism for affected users.","source":"Value DeFi Medium (Official)","source_url":"https://valuedefi.medium.com/multistables-vault-exploit-post-mortem-d11b0635788f"},{"date":"2020-11-16","event":"Value DeFi announced integration with Chainlink's decentralized oracle network to replace the AMM-based Curve spot price oracle that was exploited.","source":"Decrypt","source_url":"https://decrypt.co/48892/value-defi-hacked-chainlink"},{"date":"2021-05-05","event":"Second major exploit on BSC: attacker re-initialized the vStake pool due to a missing 'initialized = true' guard in the initialize() function, assumed owner role, and called governanceRecoverUnsupported() to drain approximately $10 million.","source":"rekt.news","source_url":"https://rekt.news/value-rekt2"},{"date":"2021-05-07","event":"Iron Finance, a partner protocol whose liquidity pools were affected by the Value DeFi vStake exploit, published an incident report confirming the impact.","source":"Iron Finance Medium","source_url":"https://ironfinance.medium.com/07-may-2021-value-defi-incident-part-1-b4f2a7a1a2b2"},{"date":"2021-05-08","event":"Third exploit: Value DeFi's vSwap module on BSC was exploited via a flaw in the ensureConstantValue validation function, allowing an attacker to drain multiple liquidity pools using flash loans. SlowMist published an analysis.","source":"SlowMist / Medium","source_url":"https://slowmist.medium.com/slowmist-value-defi-vswap-module-hack-analysis-64e8909ef6a2"},{"date":"2021-05-08","event":"Value DeFi became the first protocol to appear twice on the rekt.news REKT leaderboard following the successive May 2021 exploits.","source":"rekt.news","source_url":"https://rekt.news/value-rekt2"}]},"v":1}