Value DeFi Protocol

2020-11-13

Value DeFi published a tweet (later deleted) claiming the protocol had the 'highest security' and was capable of preventing flash loan attacks. The MultiStables vault was launched.

2020-11-14

Flash loan exploit drained approximately $7.4 million in DAI from the MultiStables vault. Attacker used 80,000 ETH from Aave and ~$116 million DAI from Uniswap to manipulate Curve 3pool oracle prices. Attacker returned $2 million and left on-chain message: 'do you really know flashloan?'

2020-11-14

VALUE governance token price dropped approximately 27–30% following exploit news.

2020-11-15

Value DeFi published official post-mortem acknowledging two root cause vulnerabilities, halted MultiStables vault deposits, and announced IOU compensation mechanism for affected users.

2020-11-16

Value DeFi announced integration with Chainlink's decentralized oracle network to replace the AMM-based Curve spot price oracle that was exploited.

2021-05-05

Second major exploit on BSC: attacker re-initialized the vStake pool due to a missing 'initialized = true' guard in the initialize() function, assumed owner role, and called governanceRecoverUnsupported() to drain approximately $10 million.

2021-05-07

Iron Finance, a partner protocol whose liquidity pools were affected by the Value DeFi vStake exploit, published an incident report confirming the impact.

2021-05-08

Third exploit: Value DeFi's vSwap module on BSC was exploited via a flaw in the ensureConstantValue validation function, allowing an attacker to drain multiple liquidity pools using flash loans. SlowMist published an analysis.

2021-05-08

Value DeFi became the first protocol to appear twice on the rekt.news REKT leaderboard following the successive May 2021 exploits.