On Nov. 14, an unknown party exploited flash loans via the decentralized finance protocol Value DeFi to the tune of $5.4 million. A number of individuals have received a portion of their stolen funds back, however, after pleading with the hacker using input data on the Ethereum blockchain.
According to data from Etherscan, the hacker sent $95,000 in Dai back to two of the victims who posted messages accessible in the Ethereum block explorer’s input data on Sunday.
“I lost $100,000 in your attack,” said one victim who claimed to be a nurse. “These are all my savings. I hope you can return it to me.”
“My grandparents and my parents sent me their life savings for high yield return that I boasted about,” said another, stating he was a 19-year-old student living in the United Kingdom who had lost $200,000. “I will be grateful if you can send the funds back and I will return them to my family.”
While the hacker did transfer 50,000 Dai to the nurse and 45,000 Dai to the 19-year-old, they had a message for both of them. The hacker inferred that their attack was a "tough love" lesson for investors:
“I don’t expect to get your money, but as we have seen, there are so many people here who lack knowledge and caution, and sooner or later those money will be lost. Some wounds are painful, but very effective.”
In the time since these messages were posted, many affected users have likewise sent small transactions with messages attached, requesting that the hacker make them whole again. At the time of publication, there have since yesterday been no outgoing transactions from the address associated with the exploit.
According to a post-mortem report from Value DeFi published on Sunday, the exploit began when a user took out a flash loan of 80,000 Ether (ETH) — roughly $37 million at the time of publication — from lending protocol Aave in addition to buying 116 million Dai and 31 million Tether (USDT). The attacker then swapped 25 million Dai for the protocol’s dollar stablecoin mvUSD, 91 million DAI for USD Coin (USDC), and 31 million USDT for 17 million USDC. Each swap was designed to exploit the pricing used by Value’s vault withdrawal method.
The protocol has stated it will be creating a compensation fund for affected users and has reached out to the hacker in a transaction of its own in an attempt to “accelerate the process.” Etherscan records show that Value DeFi offered a $1 million bounty for the hacker to return $5.4 million in Dai. There has been no response or outgoing transactions from the hacker in the time since, however.
“All teams within this space are pioneering very risky technology that is by nature lacking the benefit of time for rigorous analysis and testing,” stated Value DeFi. “No matter if your funds are deployed in Value DeFi Protocol or any other DeFi projects, there is always an element of risk when it comes to smart contracts and increasingly complex deployments.”
The value of the $VALUE token is $2.02 at the time of publication, having fallen more than 26% since its pre-exploit price of $2.74 on Saturday.