Value DeFi Hit by $6 Million Loan Flash Exploit Author: Ali Raza Last Updated: 15 November 2020 Value DeFi seems to be the victim of a $6 million flash loan attack. This happened after a Twitter thread on Friday, detailing the prevention method of similar exploit technology. https://twitter.com/value_defi/status/1327469664620802050 The incident occurred on Friday night before Emilo Frangela, Aave Protocol’s developer, raised an alarm about the exploited loan. A user removed a flashloan of 80,000 ETH (worth more than $36 million) from the lending protocol. Emiliano Bonassi, the co-founder of DeFi Italy and a self-described white-hat hacker, revealed that the hacker also removed an extra $116 million flash loan from Uniswap. Flash-loaned ETH exchanged for stablecoins According to Bonassi, the attacker took stablecoins and replaced with the flash-loaned ETH. He kept some of the flash-loan DAI to Defi’s multi-stablecoin vault. Afterward, the attacker carried out several swaps of stablecoin between DAI, USDC, and USDT meant to launch an exploit on the pricing utilized in the withdrawal method of Value Defi. One of the most sophisticated attacks During a recent interview, he pointed out that the attack was one of the most sophisticated attacks he has seen for a long time, even though it was similar to the Harvest Finance attack. Bonassi also revealed that the attack was the first time he had seen a threat actor using two flash loans in a single attack. Later that night, the community Discord released a statement that admitted there was a flash loan attack. “We are aware of the current situation with the MultiStables vault,” the board acknowledges. The statement further asked users to be patient while the developers investigate the situation. It also informed users that apart from the attacked vault, other vaults are working properly. Few minutes after the attack, the threat actor carried out an ETH transaction that allegedly taunted the Value DeFi protocol using a message delivered to the address of the protocol deployed. “Do you really know flashloan? “, the statement reads. To deliver the message, the threat actor had to remove $.31 from his hacking gains to pay for the message. Shortly afterward, the protocol announced on Twitter that it was preparing a postmortem for the attack that resulted in the loss of $6 million for the users. The attack has directly led to the depreciation o the $VALUE token by from 2.73 to 2.01, which is more than a 25% reduction. This attack is one of the several setbacks the DeFi space has had within the past two weeks, which included an attack on Akpropolis protocol.