Nick C. Profile picture
21 Nov, 10 tweets, 3 min read
It appears we may have just seen our latest DeFi flash loan attack.

$20m in DAI stolen - potentially the biggest flash loan attack since Harvest a month ago, which took $30m in stables.

(h/t to @mattybchats for spotting this tx)
What's weird now is that Pickle's website currently is not working.

Those that are trying to access the Jars and Farms tab are just stuck with a loading screen.

Also, Discord channel seems to have no public channels. Was it like this before?
Some people are arguing that this isn't an exploit or not an attack - might be some unannounced strategy change they say.

The thing is, the person who did this tx got 10 ETH from Tornado + now owns nearly $20m in DAI in an EOA.
The interesting thing here to note is that the contract that executed this complex tx was not self-destructed as we've seen with previous attacks on DeFi protocols.
Upon closer inspection, there doesn't seem to have been a flash loan involved.

I'm hearing the attacker deployed fake Pickle Jars (strategies) that managed to drain the original Jar.
We're about to see @CoverProtocol in action for the first time.

Since its launch two days ago, users have provided 432,251 DAI in cover through the protocol.
Yeah, appears to be the swapExactJarForJar function that broke it.

Basically, a Jar is like a Yearn Strategy.

The attacker made a malicious Jar, then swapped the funds from the recently-deployed DAI strategy to his own.
COVER FOR PICKLE*. I need to slow down a bit.
More on Cover Protocol's first claim.

Thus far, 100% of the COVER that has voted (573) says this is a valid claim.…
Pickle *was* audited by Haechi. The audit was published two days ago and found no critical issues and no major issues.

The thing is, the audit was seemingly commissioned & completed before the latest update to the Jars.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Nick C.

Nick C. Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @n2ckchong

21 Nov
Recap of where we're at with Pickle:

Two hours ago, a suspicious transaction was seen involving Pickle's new pDAI jar.

$20m worth of DAI was withdrawn to an EOA, which funded the attack with 10 ETH from Tornado (mixer).

No flash loan was involved as first believed.
At this moment, the attack vector seems to be related to a function in the Pickle controller (v4), which can swap coins from one strategy to another.

Rumor has it that there was no check on the Jar Swap function. Pickle was audited but seemingly before this function was added.
Affected users are already contacting the attacker.

The first image here shows someone, a purported "nurse," asking for $100,000 back from the attacker. The use of the nurse bit was popularized last week with the Value attack, where the attacker returned $50k to a "nurse"
Read 6 tweets
21 Nov
Back by popular demand. Again, with everything on DeFi being on-chain, we can see connect firms & addresses.

A breakdown of some of the known Ethereum addresses of a16z, Celsius, Nexo. Also, a look at addresses *likely* operated by firms like Alameda, Struck Capital, & more.

a16z's (1/2) interesting because it became the first "mainstream" VC to go big on DeFi tokens.

They have $26m in MKR, $2m in SNX, and $1.5m in REP.

Of note, they're up $11m in their MKR.
a16z (2/2)

What I really remember about this address is others in the space eyeing it last year:

Someone deposited $250k of SNX into the address.

We still don't know if it was a16z.

Not much else to say though - I guess Pool 2 yield farming isn't in their mandate.
Read 16 tweets
19 Nov
Wanted to bump this thread due to the Saffron Finance craze.

What I said about BarnBridge applies to Saffron - they're fundamentally similar projects with similar goals.

Saffron just launched first.

Here's a brief explanation of why $SFI is rallying so hard (up 400% today).
Tranches in finance are when a financial product/vehicle is split up into separate baskets to divvy up risk and yields to appeal to different investors.

There are junior tranches, which carry the most risk. If there is a default/crash, junior tranche holders take most losses.
To acquire Saffron Finance's governance token, SFI, users must deposit ETH-SFI Uniswap LP tokens or deposit into the two supported tranches, the "S" (senior) tranche and the "A" (junior) tranche.

- S tranche gets 71.25% of emissions
- A tranche gets 3.75%
- Uniswap LPs get 25%
Read 9 tweets
19 Nov
Hands down one of the coolest DeFi products I've seen in recent months is Alpha Homora by @AlphaFinanceLab.

The product has seen a lot of attention over recent days as investors seek higher yields on Ethereum yield farming and liquidity mining.

Let's take a closer look.

To put it simply, Alpha Homora allows users to obtain leverage on Ethereum yield farming.

It also automates the yield farming process, even if the user does not want to take leverage.

This is similar to what the @zapper_fi team did in its early days with Zaps.
When you want to LP one ETH into ETH/WBTC on Uniswap, you swap 0.5 ETH into WBTC, then supply both to the pool. Cool.

But let's say you want to collect more in trading fees or in UNI (if rewards are voted back in), you can take leverage of up to 2.5x (used to be like 3x).
Read 13 tweets
18 Nov
What's beautiful (and kind of scary) about DeFi is that we can see everything that happens on-chain and connect addresses to identities and firms.

Here's a breakdown of the known Ethereum addresses of Three Arrows Capital, Polychain Capital, and Jump Trading.

Three Arrows Capital (1/2):

One of the biggest Compound suppliers, with $100m in WBTC, $50m in ETH, and $6m in DAI.

3AC is also supplying 275 YFI and $13m in LINK to Aave and is farming SUSHI with 1.5m *recently-acquired* SUSHI.

3AC acquired 351k LINK during recent dip.
3AC (2/2):

With the collateral, 3AC is withdrawing stables and sending them to FTX. We've seen millions upon millions sent to an FTX address.

It is unclear what happens to the funds once they're there but 3AC is often on the profit + volume leaderboards on FTX.
Read 11 tweets
17 Nov
Since UNI rewards ended yesterday, Uniswap's TVL has dropped by 40% to $1.9 billion. The bleeding shows no signs of abating yet.

Let's take a quick look at a few large liquidity providers (at random) and what they are doing with their freed-up capital. 👇
0xe0e withdrew $1.7m worth of liquidity from Uniswap's ETH-DAI pair.

They deposited all of that capital immediately into cAssets, cDAI and cETH.
0x975 withdrew $2.8m worth of liq from ETH-DAI.

They deposited all that capital back into Binance without converting the ETH into DAI or vice-versa.

They made this addy with the sole purpose of farming UNI, meaning they're probs looking to re-allocate to DeFi or BTC (UOA).
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!