The latest ‘test in prod’ experiment from Yearn founder Andre Cronje has many degen traders questioning their YOLO nature following a flash loan attack of contracts which hadn’t been officially released to the public yesterday afternoon.
Eminence Finance, an NFT gaming ecosystem which was still in development, was exploited by a hacker who stole $15M after traders rushed to farm EMN – a token meant to act as a reward stablecoin with zero inherent value.
“It’s a flat currency, not a token.” Cronje commented in a private group. “Meant for non speculative ingame purchases only”.
There was no official announcement on the launch or public website. All it took was an eminence.finance Twitter account, cryptic tweets, and Cronje’s retweets, for traders to find the contracts and flood into the mysterious protocol, hoping to get in early on ‘the next YFI’.
The contracts were about 3 weeks from completion by Cronje’s account, and hadn’t been properly tested and secured. This gave one savvy hacker the opportunity to use a flash loan to drain the pool of all its funds less than three hours after the project went viral on Crypto Twitter.
If you are confused how the hacker managed to drain $EMN contract, here’s the exact mechanics of what happened:
— Bartek Kiepuszewski (@bkiepuszewski) September 29, 2020
A Series of Unfortunate Events
A flurry of activity rose around the release of Eminence Finance after a public Twitter account showcasing different factions or teams for popular DeFi protocols like Chainlink ‘Marines’ and Synthetix ‘Spartans’ was unveiled and retweeted by Cronje.
A series of related tweets and posts stemmed from that, including a Medium a blog post on how to “manually mint http://Yearn.finance latest creation, Eminence ($EMN).”
— eminence.finance (@eminencefi) September 29, 2020
Once confirmed as being deployed from the primary Yearn address, many were quick to start interacting with the contract, depositing DAI to mint EMN directly through the contract prior to a front-end being available. It’s important to highlight, this wasn’t just unaudited code like the case of Sushi or Yam; there was no information or even a front-end. Nobody knew exactly what the project was. All there was were a few speculative tweets.
The premise of an NFT-based Battle Royale incubated by Cronje was enough to get degens excited, with many blindly deploying funds in a term coined as ‘aping’ – or rushing to throw money into an unaudited smart contract.
As degens began to flock into the faction of their choosing, a hacker was able to use a flash loan to mint EMN on a tight bonding curve to increase the price. For every EMN minted, the price would increase incrementally along the curve. As the price increased, the hacker burned EMN for any of the wrapped eTokens – Eminence’s native versions of popular DeFi tokens like Aave – to cause a large supply drop and increase the token price dramatically.
This gap allowed the hacker to acquire large sums of EMN and then sell the other tokens to recursively cash in DAI profits.
15 Million Dai
In total, nearly 15M of DAI was siphoned in the process, leaving virtually all participants with nothing but a lesson in diligence to show.
Luckily for those affected, the hacker has graciously returned $8M of lost funds, good for a forthcoming 50% refund as per balances taken at a snapshot the block before the hack took place.
Since we have received 8M DAI, we are working towards distributing them to the people who got rekt. I have finished the first version of the snapshot which uses bonding curve rates of EMN, eCRV, eLINK, eAAVE, eYFI, eSNX at block 10954410. It includes 3656 addresses. pic.twitter.com/dT3WryyGrD
— banteg (@bantg) September 29, 2020
Now, many are left to theorize why any funds were returned at all, and whether or not this exploit marks the death of Eminence Finance before it ever began.
Are we going to question why the hacker sent back half of the funds unasked, or nah?
— Hasu (@hasufl) September 29, 2020
Risk of Unaudited Code
Cronje has signaled that the experiment is beyond recovery. Despite a fascinating premise, Andre’s diehard following has taken testing in prod over the edge, showing that not all unaudited contracts are exploit-free.
While this is certainly not the last experiment from Cronje, let Eminence show that until there is an official Medium post about a project the DeFi rockstar is affiliated with, these contracts are not meant to be toyed with.