On Wednesday, December 17, 2020, a targeted attack on two popular DeFi projects – dYdX and YFI Token – was discovered by the teams responsible for the projects. The attack resulted in a total of ~$9million being stolen from the projects, with ~$8 million being stolen from dYdX and ~$1 million being stolen from YFI Token.
The attacker exploited a vulnerability in dYdX’s contract that allowed the attacker to create a “wrapped” version of the project’s token and use it to drain funds from the project’s reserve. The attacker was able to use this exploit to transfer funds from the dYdX and YFI Token smart contracts out of the projects to wallets controlled by the attacker.
The teams behind the projects have both taken steps to secure their respective smart contracts and have identified the wallets that the stolen funds were transferred to. The dYdX team is currently working with the audits of the project to ensure that their contractual security has not been compromised. The YFI Token team is also working to secure their smart contract and has taken steps to restrict the transfer out of the wallet that the attacker used to drain the funds.
In addition, both teams are collaborating with various law enforcement agencies to ensure the stolen funds are returned to the rightful owners. At this time, the attacker’s identity is still unknown and the teams are asking individuals with information on the attack to contact them directly.
This attack serves as a reminder to all DeFi projects to ensure their smart contracts are thoroughly audited and tested, as well as to constantly monitor their projects for any suspicious activity.