On December 2, 2024, Yei Finance, a money market on the Sei blockchain, announced they had uncovered unusual activity in its WBTC pool and were pausing withdrawals. Their investigative team subsequently identified an exploit and put out a post-mortem about the $2.4 million hack.
The post-mortem focused on root cause analysis of the breach. The system for determining the scaling factors for user balances and accrued interest in ReserveLogic.sol was vulnerable to sudden liquidity changes, such as those brought on by a flash loan attack. The component ScaledBalanceTokenBase.sol is used to calculate how many tokens should be burned or minted during deposits and withdrawls. If the liquidity index is manipulated through liquidity changes, the attacker can “more value than deposited and burned fewer tokens than withdrawn.”
Yei Finance’s post-mortem was comprehensive in detailing how the attack was planned and executed as well as their own plans for remediation. The organization’s efforts were widely lauded and it should come as no surprise that the organization was still able to close a $2 million seed round just two weeks later.
Our analysis here will thus focus on the bigger picture and laundering trail:
The criminal trail as we know it begins almost a year and a half earlier. In July 2023, lending protocol Eralend suffered a $3.4 million exploit. The attackers used a reentrancy attack to target the burn and minting functions, similar to what was targeted with Yei Finance. Our flow of funds analysis connects the two crimes through a shared destination wallet and other links: the perpetrator behind the Eralend attack was the same behind the Yei Finance attack.
In September 2024, the Onyx Protocol was hacked for $3.8 million, also using a flash loan attack. The attacker minted and redeemed ETH in tiny quantities that took advantage of a vulnerability in decimal precision in a low liquidity market. The attack resembled the modus operandi of the Yei Finance hack and our flow of funds analysis also links the two: The perpetrator behind Onyx Protocol attack was the same behind Ye Finance attack.
With experience from at least two previous DeFi attacks, the perpetrators also had the funds necessary for another flash loan attack. Using some of the funds from EraLend and Onyx, the hackers made a deposit of 182 ETH via cross-chain automated money maker Chainflip, which sent partial funds in BTC at bc1qknee33zjlwvlgha6su6rgs00hjpr3zxqk0cyv8 and the remaining 127 ETH got sent to 0x1de6f3ccfab74302d30aac3649b4700347bb52e8 as a refund. This ETH was used to generate the liquidity necessary to exploit Yei Finance on Sei.
To begin the attack, the hackers “deposited 0.1 WBTC into the yWBTC pool, initializing the liquidity.” They were then able to use the vulnerabilities in ReserveLogic.sol and ScaledBalanceTokenBase.sol to withdraw the stolen funds.
The laundering trail from there is unique in the extensive use of chain-hopping. The hackers chain hopped across L1 chains like SEI, BTC, BSC, and ETH, as well as L2 chains like BASE.
After a bridge onto Arbitrum, the funds currently sit at 0xcd2860fc4abf1748b8e4aebf35ddef2ab03e17c5. On January 16, 2025, a majority of the funds swapped from ETH to 1,006,152 DAI, a stablecoin tied to USD. The hacker likely wanted to minimize the volatility of his holdings at a time when crypto prices are falling up and down due to Trump’s inauguration, his meme coins, and other major regulatory and economic changes. What is odd is that the hacker chose to keep some value in 281 ETH. Although ETH is the second largest coin by market capitalization, hackers tend to convert their haul into a single preferred coin.
Key takeaways
Out of the OWASP Smart Contract Top 10, there are several vulnerabilities that require capital to execute. These would include price oracle manipulation, denial of service attacks, and as in the case of Yei Finance, flash loan attacks. The opportunity for crypto investigators is that most crimes requiring capital will be funded by other onchain crimes. Given this fact, crypto investigators should prioritize tools that have an extensive library of cases with attribution. In the Yei Finance attack, we were able to quickly conclude that the perpetrators were also involved in the Eralend and Onyx Protocol attacks due to a common wallet and other links. Additional intelligence gives crypto investigators a leg up in identifying and tracking perpetrators.
The hackers used extensive chain-hopping. While no blockchain analytics tool offers all blockchains, crypto investigators need a tool that supports the most common ones used in laundering. With this compatibility, crypto investigators can still trace the general outline of where the illicit funds went and how they got there, even though some more obscure chains may not be supported.
Yei Finance was able to raise a $2 million seed round (ironically a little less than the $2.4 million stolen) nearly two weeks later after working with crypto investigators to detail a timeline of the hack, identify a root cause, and plan security measures to prevent similar breaches. As in traditional business sectors, no crypto exchange is ever 100% immune from the threat of hacks. In an environment where a breach is bound to happen, crypto businesses must prioritize having access to the best blockchain analytics tools. With these in hand, crypto businesses can quickly launch an investigation, take appropriate countermeasures, and most importantly, restore faith in stakeholders, as Yei Finance did with its customers and seed investors.
The Yei Finance hack illustrates the need for crypto investigators to prioritize tools with extensive case libraries and attribution capabilities, as capital-intensive crimes like flash loan attacks often link to other on-chain crimes. The hackers used extensive chain-hopping, making it crucial for investigators to have tools supporting multiple blockchains. Despite the breach, Yei Finance raised a $2 million seed round after working with investigators to understand the attack and improve security. This highlights the importance of blockchain analytics tools in quickly responding to hacks and maintaining stakeholder trust. Contact us for a free demo of Merkle Science’s Tracker.
