Wisdom of DeFi by EigenPhi

Share this post

Wisdom of DeFi by EigenPhi
Wisdom of DeFi by EigenPhi
Using An Antique Contract to Manipulate cDAI and Curve, Searcher Profit $27K in One TX
Copy link
Facebook
Email
Notes
More
DeFi Transaction Anatomy

Using An Antique Contract to Manipulate cDAI and Curve, Searcher Profit $27K in One TX

Don't leave your old contract there, otherwise it might come back and bite you.

EigenPhi
Jun 13, 2023
2

Share this post

Wisdom of DeFi by EigenPhi
Wisdom of DeFi by EigenPhi
Using An Antique Contract to Manipulate cDAI and Curve, Searcher Profit $27K in One TX
Copy link
Facebook
Email
Notes
More
Share

girl in black and white polka dot dress
Photo by Shane Devlin on Unsplash

On June 7th, a contract, StrategyDAICurve, that had been idle for 923 days was used as a medium to manipulate the cDAI contract and Curve.fi’s yDAI+yUSDC+yUSDT+yTUSD pool together, twisting tokens’ valuation and eventually generating over $27K arbitrage profit for the manipulator. 

A tweet from DeFi Princess brought our attention to this arbitrage. Even though someone said it looked like an arb on top of a front run, after thorough analysis, we concluded the root cause was the price manipulation using flash loans. 

Let’s break down the details using the token flow chart from our EigenTx transaction visualizer.

Assets and Addresses

First, take a look at the assets involved:

  • cDAI: the crypto issued by Compound.Finance. When you lend your DAI to a DAI loan pool of Compound, you will receive cDAI. 

  • yDAI: the yield-bearing DAI token that is part of the Yearn Finance. When you deposit your DAI in y.curve.fi, you will receive yDAI in return. 

  • yUSDC: the yield-bearing USDC token that is part of the Yearn Finance.

  • yUSDT: the yield-bearing USDT token that is part of the Yearn Finance.

  • yTUSD: the yield-bearing TUSD token that is part of the Yearn Finance.

  • yDAI+yUSDC+yUSDT+yTUSD: aka yCRV, the interest-earning token representing your share of the Y pool composed of DAI, USDT, USDC, and TUSD on Curve.

  • yyDAI+yUSDC+yUSDT+yTUSD: the yield-bearing yDAI+yUSDC+yUSDT+yTUSD token that is part of the Yearn Finance. 

Now the protocols and addresses.

Compounder Dai Stablecoin (cDAI) contract.

The searcher/manipulator’s contract/bot.

The Uniswap V3 pool for DAI-USDC.

The searcher/manipulator’s EOA.

Yearn:yDAI Token contract.

The manipulated vault contract was deployed by an address marked as Compound.Finance.deployer on Etherscan.It is supposed to be used for DAI and yCRV. 

The manipulation happened because the balance of StrategyDAICurve is an input for the valuation formula for every share of cDAI. 

1 cDAI = (Balance of cDAI pool + balance of StrategyDAICurve ) / totalSupply of cDAI

Yearn:yCRV/yDAI+yUSDC+yUSDT+yTUSD Vault. 

Curve’s y-pool contract.

It’s time to go through the whole transfers step by step. 

How Did The Manipulator Get It Done?

Step 0: The searcher borrowed 1,239,990 DAI from Uniswap V3 Pool via its Flash Swaps feature.

Steps 1-2: The searcher deposited 200,000 DAI to cDAI contract and received minted 1,342,703.0335 cDAI as IOU from Compound.  

When depositing in steps 1&2, the balance of StrategyDAICurve is 0. At the moment, 1 cDAI ~= 0.14895 DAI. The searcher received matching cDAI based on the price when depositing 200,000 DAI.

Steps 3-4: The searcher deposited 1,000,000 DAI to yDAI contract and received minted 882,026.6170 yDAI as a yielding token from Yearn. 

Steps 5-6: The searcher swapped 50,000 yDAI for 41,440.664883 yUSDC on Curve.fi.

Steps 7-8: The searcher swapped 160,000 yDAI for 94,020.9230 yTUSD on Curve.fi.

Steps 9-10: The searcher swapped 672,026.6170 yDAI for 4869390013192846 yUSDT on Curve.fi.

Step 11: The searcher sent 40000 DAI to StrategyDAICurve, raising the price of cDAI against DAI from 0.14895 to 0.17456.

Step 12: While withdrawing cDAI, StrategyDAICurve sent 1751.4333DAI to cDAI contract to fill the gap between the Flash Swaps loan and the swapped-out DAI from cDAI contract.

Steps 13-14: The searcher withdrew 234,388.3511 DAI from cDAI and burnt the IOU: the minted 1,342,703.0335 cDAI.

When withdrawing cDAI in steps 13&14, the price of cDAI against DAI is 0.17456 because the searcher transferred 40,000 DAI to the StrategyDAICurve contract in step 11. Essentially, The searcher twisted the valuation of cDAI against DAI of StrategyDAICurve.

By burning the 1,342,703 cDAI, the searcher received 34388.3511 more DAI than his initial deposited 200,000 DAI. 

As of now, the searcher has finished manipulating the valuation of cDAI. Next, they would manipulate the valuation of yDAI on Curve. 

Steps 15-16: The remaining balance of StrategyDAICurve was saved to yearn and StrategyDAICurve received minted 33,736.2540 yDAI as IOU from yearn. 

Steps 17-18: Then 33,736.2539 yDAI was deposited to Curve and StrategyDAICurve and received minted 361,398.6858 yDAI+yUSDC+yUSDT+yTUSD as yield farming gain.

The searcher used the exchanged yDAI in steps 3-4 to swap out many other tokens. In step 17, The searcher raised these tokens’ valuation by adding more yDAI to Curve.

Steps 19-20:  361,398.6858 yDAI+yUSDC+yUSDT+yTUSD  was further deposited to Yearn: yCRV Vault and StrategyDAICurve received minted 308,048.8766 yyDAI+yUSDC+yUSDT+yTUSD as yield farming gain.

Steps 21-22: The searcher swapped 41,440.664883 yUSDC for 756,646.3952 yDAI on Curve.

Steps 23-24: The searcher swapped 4869390013192846 yUSDT for 51,086.4939 yDAI on Curve.

Steps 25-26: The searcher swapped 94,020.9230 yTUSD for 103,288.0079 yDAI on Curve.

During these steps, the searcher swapped back more yDAI with other tokens, cashing out more DAI later, part of which covered the cost of the 40,000 DAI. 

Steps 27-28: The searcher burned 911,020.8971 yDAI, the IOU from Yearn to The searcher, and withdrew 1,032,872.3414 DAI.

Step 29: The searcher returned 1,240,113.999 DAI to Uniswap V3 Pool.

Step 30: The searcher took away the 27,146.6935 DAI as revenue.

To summarize, here are the tactics of the searcher/manipulator:

  1. borrowed DAI from Uniswap using Flash Swaps. 

  2. deposited DAI to Compound to mint cDAI at a normal ratio, whose price would be raised against DAI by twisting the valuation using StrategyDAICurve. 

  3. deposited DAI to Yearn to mint yDAI, which would be used to raise the valuation of LP tokens in Curve.

  4. swapped yDAI for yUSDC, yUSDT, and yTUSD on Curve.

  5. deposited yDAI to Curve and received synthetic LP tokens, raising the valuation of the LP tokens.

  6. deposited DAI to StrategyDAICurve,  raising the price of cDAI against DAI. 

  7. Withdrew DAI from Compound by burning cDAI, making DAI profit.

  8. swapped LP tokens for yDAI on Curve. 

  9. Withdrew DAI from Yearn by burning yDAI to get back DAI as revenue.

  10. Paid back Uniswap’s Flash Swaps.

Ultimately, the searcher reaped more revenue by manipulating cDAI and Curve, covering the gap here and resulting in a surplus of 27,146 DAI.

Time to Clean Your Closet?

To conclude, antique contracts like StrategyDAICurve seem harmless at first look. However, due to the composability of Smart Contracts, unexpected results could jump out at the projects and protocols without proper code and product management. And there are a lot of contacts like StrategyDAICurve out there, waiting for smart manipulators like the one we saw in this article. 

Follow us via these to dig more hidden wisdom of DeFi:

Website | Discord | Twitter | YouTube | Substack | Medium | Telegram

2

Share this post

Wisdom of DeFi by EigenPhi
Wisdom of DeFi by EigenPhi
Using An Antique Contract to Manipulate cDAI and Curve, Searcher Profit $27K in One TX
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 EigenPhi
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More