An attack targeting both the Yearn.finance (YFI) token and the Curve Dex (DEX) resulted in a reported $9 million worth of funds being stolen by the hackers. The attack occurred on December 24 and was triggered by a bad flash loan which was initiated by the attacker.
The hackers exploited the ERC-20 transfer function of the Curve protocol in order to borrow large amounts of funds which they then funneled into the YFI protocol smart contracts. After they had amassed the stolen funds, the hackers allegedly sold these tokens on an unnamed decentralized exchange in order to cash out.
Yearn.finance and Curve have both acknowledged the attack and responded with measures that aim to prevent such attacks from happening in the future. Yearn.finance has released a patch that will make it more difficult for attackers to execute this type of attack, while Curve developers are currently exploring ways to provide additional security measures. Meanwhile, the attackers are believed to still be holding some of the stolen funds, suggesting that the stolen funds will likely not be recovered.