Eminence (Yearn Finance) DeFi Hack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 11:55, 2 May 2023 by Azoundria (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Eminence

Eminence was an early beta NFT game which was launched by Andre Cronje. Users piled in to invest their funds in the unproven platform.

The platform was exploited by an attacker who stole the full $15m, returning $8m to investors. Those $8m were subsequently distributed back to investors.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23]

About Eminence

"Andre Cronje became a superstar of the DeFi scene after launching the yEarn yield optimizer. The corresponding token, YFI, surged from 0 to tens of thousands of dollars in a matter of weeks. Consequently, many profit-seeking users started to closely monitor Andre’s activity to jump into his new projects before others."

"On Sept. 28, Andrew Cronje, the head honcho at Yearn Finance, retweeted graphic designs for a new project called Eminence, so described by Cronje as a decentralized finance (DeFi) protocol for a “gaming multiverse.” The game is allegedly a spin-off of a 2016 kickstarter trading card game called Eminence: Xander’s Tales and may incorporate non-fungible tokens (NFTs)." "After Andre mentioned its unaudited beta smart contract in a tweet, users threw $15 million into it."

"Within hours of those contracts being deployed, they had already been exploited. The NFT focused Eminence platform had attracted around $15 million from FOMO fueled ‘degens’ (degenerate farmers) piling into the untested and unverified EMN protocol." "Since the contract was in the beta stage, it had a vulnerability, and hackers drained users’ funds by minting EMN tokens and selling them for more valuable assets on Sept. 28." "The reckless investors of the decentralized finance (DeFi) projects had to pay a massive toll as $15 million in digital currencies were siphoned by the hackers."

"For Eminence, users would deposit DAI into the smart contract and receive EMN in return. If the EMN is sent to the smart contract, it is burned and the user receives DAI in return."

"You could also exchange EMN for five other tokens (eAAVE, eLINK, eYFI, eSNX and eCRV, all Eminence wrapped versions of the popular tokens with the same tickers). Doing so would burn the deposited EMN. Inversely, if you deposit these tokens into their respective bonding curve contracts, it is burned and you receive newly minted EMN."

"To exploit these contracts, the attacker took out a flash loan for 15 million DAI from Uniswap and used this to buy EMN. He then traded and burned half this EMN for eAAVE, driving up EMN’s price. From here, he traded the rest of his EMN for DAI, traded his eAAVE to mint more EMN and then finally traded this EMN for DAI."

"When Cronje was woken a few hours later, he discovered that the contracts had been exploited for the full $15 million, and the hacker bizarrely sent $8 million back into his Yearn deployer account. Cronje stated that he would refund the $8 million following several threats" “As I am receiving a fair amount of threats, I have asked yearn treasury to assist with refunding the 8m the hacker sent… Funds will be returned to holders pre-hack snapshot.” "[N]ot even 72 hours after the exploit, affected users have had a portion of their losses returned." "[Andre] has also stated that he will continue to build the project and deploy test contracts, which are likely to contain vulnerabilities."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Eminence (Yearn Finance) DeFi Hack
Date Event Description
September 28th, 2020 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $15,000,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered has been estimated at $8,000,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The Eminence project was an experimental smart contract hot wallet which had no audits nor pre-launch testing, and yet over $15m was invested. Having an audit would have most likely prevented the situation, as would limiting the level of funds in the hot wallet portion of the contract, with the majority of funds in an offline multi-sig wallet held by trusted and trained individuals.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Exclusive: YFI’s Andre Cronje is tired, broke and close to quitting DeFi - Decrypt (Aug 7, 2020)
  2. @AndreCronjeTech - Twitter (Sep 28, 2020)
  3. @AndreCronjeTech - Twitter (Sep 28, 2020)
  4. Hackers Stole $15 Million from Andre Cronje’s New DeFi Project (Sep 29, 2020)
  5. Yearn Finance Foray into Gaming Multiverse Results in $15 Million Contract Hack (Sep 30, 2020)
  6. Millions Lost: The Top 19 DeFi Cryptocurrency Hacks of 2020 | Crypto Briefing (May 22, 2021)
  7. Unaudited Crypto Gaming Platform, Eminence, Hacked for $15 Million | Crypto Briefing (Jun 27, 2021)
  8. @eminencefi Twitter (Jun 27, 2021)
  9. DeFi Degens Hit by Eminence Exploit Recover Some Losses - CoinDesk (Jul 12, 2021)
  10. CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20, 2021)
  11. SlowMist Hacked - SlowMist Zone (May 18, 2021)
  12. @AndreCronjeTech Twitter (Jul 12, 2021)
  13. Eminence, el juego basado en DeFi perdió $15 millones por un errorNoticieroBitcoin (Jul 12, 2021)
  14. Yearn Finance (YFI) Deploys NFTs Venture Eminence, Gets Exploited Within Hours - CryptoTicker (Jul 12, 2021)
  15. Eminence Finance Rug Pull, Speculators Lose $15M on EMN - DeFi Rate (Jul 12, 2021)
  16. DeFi investors lose $15 million in Eminence flash loan exploit (Jul 12, 2021)
  17. DeFi project Eminence lost $15 million of users funds. : defi (Jul 12, 2021)
  18. YFI founder's incomplete DeFi protocol Eminence exploited, attacker drained $15M and then returned $8M (Jul 12, 2021)
  19. Blockchain Hacks: 2020 | $15 billion lost, how can we mitigate hacks in 2021? | CertiK Foundation Blog (Jul 23, 2021)
  20. Comprehensive List of DeFi Hacks & Exploits - CryptoSec (Jan 8, 2022)
  21. Hackers Drain $15 Million From ‘Unreleased’ Yearn Finance Project - Decrypt (Jan 9, 2022)
  22. https://mobile.twitter.com/Cointelegraph/status/1310791040601698306 (Jan 10, 2022)
  23. @amanusk_ Twitter (Jun 26, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Eminence_(Yearn_Finance)_DeFi_Hack&oldid=3856"