A recent decentralized finance attack highlights how vulnerabilities with the standard implementation of certain DeFi vaults can be exploited by a sophisticated threat actor using familiar tools like flash loans to manipulate exchange rates and mislead price oracles.
On February 27, an attacker executed a flash loan-based "donation attack," borrowing approximately $4 million from Aave to exploit the ERC-4626 vault token for Mountain Protocol's wrapped yield-bearing stablecoin, wUSDM, artificially inflating its internal exchange rate. The underlying stablecoin, USDM, is collateralized by short-term U.S. Treasury bills.
As part of the donation attack, the threat actor inflated the exchange rate of wUSDM to from 1.06 to 1.7, then used two accounts to perform a self-liquidation on lending platform Venus Protocol. Though Venus reacted quickly to freeze the market, the attacker managed to profit around $200,000, while Venus suffered a net loss of over $716,000 as a result, according to a detailed post-mortem recently released by risk management firm Chaos Labs.
"Both teams implemented appropriate emergency measures — freezing markets, adjusting risk parameters, and resetting the exchange rate," said Yoni Keselbrener, head of DeFi at Lightblocks Labs, in an interview with The Block. Keselbrener contributes to oracle infrastructure on eOracle, an Ethereum-native oracle network developed on EigenLayer that allows for the integration of real-world data into decentralized applications.
The attacked vault implements the ERC-4626 standard for tokenized vaults originally introduced in May 2022, though the vaults later rose in popularity. However, the vault standard "...does not include safeguards against manipulated exchange rates when used in lending protocols," according to the post-mortem.
Lending platform Euler Finance published a research report on vulnerabilities with ERC-4626 vaults in January of 2024, arguing that most vaults don't explicitly implement safety checks to prevent against exchange rate manipulation. "We expect that in many cases two or more mitigation mechanisms might need to be combined for greater effect," the authors wrote.
Chaos Labs acknowledged in its post-mortem that safety strategies could have prevented the attack. "To mitigate this attack vector, the wUSDM contracts could have used a cross-chain exchange rate oracle, or, following proper disclosure, Venus would have implemented security measures to limit the appreciation of the exchange rate," Chaos Labs wrote. "To further mitigate this attack vector, an upside-capped oracle setup—such as Aave’s CAPO mechanism—will be implemented for all yield-bearing assets, preventing manipulation through artificial yield spikes."
"It applies to any vault [by the way], not only standardized," added the X account of Curve Finance in response to a thread by Keselbrener discussing the vulnerability. "Just a common misstep by lending platforms."
Keselbrener said the CAPO standard is effective, but requires "...additional code complexity and ongoing management to ensure they don't restrict legitimate yield growth while preventing manipulation."
"As DeFi becomes more complex, we need to think beyond simple price feeds to understand the entire risk profile of the assets we're integrating," Keselbrener said. "The need for cross-chain oracle infrastructure isn't a drawback but an additional security layer. Specialized oracle providers can also implement specific safeguards designed to detect and prevent these exact manipulation scenarios."
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
