Andre Cronje's new project unexpectedly exposed! Enthusiasts buy in frenzy, hackers exploit loophole and harvest $15 million

A new project called Eminence, deployed by Yearn.finance (YFI) founder Andre Cronje, was attacked during the testing phase. Hackers exploited a vulnerability to profit $15 million from FOMO enthusiasts. How did all of this happen?

Project with Nothing but a Logo

Early yesterday morning, a project called Eminence emerged in the cryptocurrency community. Despite the lack of any announcements or information other than images, the project garnered attention mainly because Andre Cronje, the founder of the decentralized finance protocol Yearn.finance (YFI), retweeted the project's Twitter account. This retweet by Andre Cronje piqued the interest of enthusiasts.

pic.twitter.com/tV9LSzPXlV

— eminence.finance (@eminencefi) September 28, 2020

Soon, people on Twitter and other social media platforms discovered from Ethereum chain data that the deployers of Eminence's contracts were the same individuals as the deployers of Yearn.finance's contracts, namely Andre Cronje himself.

The contracts involved many new tokens, including Eminence (EMN), GIL (GP), and a series of "eTokens," each representing different DeFi tokens such as YFI, AAVE, SNX, and CRV DAO tokens. Despite no one knowing the purpose of these eTokens, the fact that "the contract deployer is Andre Cronje" has already captured the hearts of enthusiasts.

FOMO Buying Frenzy

Approximately 4 to 5 hours after the contracts were deployed, more and more users discovered the coin minting and Bancor bonding curve design in the contracts. As a result, people began locking in Dai in the contracts and minting EMN. With the FOMO sentiment spreading throughout the community, the total locked value in the EMN contract exceeded $12 million in a very short period of time. Andrew Kang, the founder of Mechanism Capital, commented on this absurd FOMO behavior:

"People are sending millions of dollars' worth of assets to smart contracts for a token of an unknown project, with no information other than the project's logo, no official website, and the only way to obtain the token is to interact with the smart contract."

People are sending millions of dollars to a smart contract for a token of a project we have no other information of besides a logo. There's not even a live website so you need to buy by calling the contract.

Wouldn't expect anything less from you degens https://t.co/PAIdsqLJ5p pic.twitter.com/Kr8OWYve4E

— Andrew Kang (¤, ¤) (@Rewkang) September 28, 2020

Hacker Exploits Vulnerability, Profits $15 Million

Unfortunately, a hacker discovered a vulnerability in the contract and used flash loans to launch an attack, causing significant losses to all those who entered with FOMO.

As mentioned earlier, the Eminence contract featured a coin minting and Bancor bonding curve design, allowing users to use DAI as the reserve currency for the EMN token, and the price of the EMN token depended on the circulation of EMN and the amount of DAI in the reserve.

The token named eAAVE was generated as an eToken using EMN tokens as the reserve currency. However, the rule in the contract at the time was that if you "send" EMN tokens to the contract, you would be able to mint/purchase eAAVE but would result in the sent EMN being burned.

According to Twitter user Bartek Kiepuszewski'sstatement, the hacker exploited this vulnerability, extracting $15 million DAI through flash loans from Uniswap and buying EMN (1.38 billion tokens). Subsequently, the hacker sent half of the EMN (690 million tokens) to the contract and purchased eAAVE (572,000 tokens), directly reducing the circulating supply of EMN by 690 million tokens and significantly increasing the EMN price due to the mechanism of the Bancor bonding curve.

The hacker then sold the other half of the EMN at a high price, earning 10.024 million DAI. Subsequently, they sold off the eAAVE tokens in hand to reclaim the other half of the EMN. As the EMN was re-minted, causing the EMN price to return to its original level,the hacker sold this other half of the EMN, making a profit of 6.649 million DAI. Deducting the cost of $15 million DAI, the hacker's net profit was approximately 1.673 million DAI from a single operation. It should be emphasized that the 1.673 million DAI was just the profit from one round of operations, as the hacker executed a total of 9 rounds.

As shown below, the hacker repeatedly performed this series of operations in asingle transaction using flash loans.

After a series of attacks, the hacker profited a total of 15 million DAI. Surprisingly, the hacker voluntarily returned 8 million DAI to Eminence's contract deployer, Andre Cronje.

Andre Cronje Explains

After some time, Andre Cronje seemed to wake up from the nightmare and discovered the tragedy. He took to Twitter to inform the public that the contracts he deployed were for a Ethereum-based card game called "Eminence," which is still under development. He claimed that the game is scheduled to be officially launched in three weeks, and although he had deployed the contracts on the chain, the functionality is incomplete and still in the testing phase. Unbeknownst to him, the community found the contracts on their own and called the coin minting function themselves.

https://twitter.com/AndreCronjeTech/status/1310763506170499072?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1310763506170499072%7Ctwgr%5Eshare_3&ref_url=https%3A%2F%2Fcryptoslate.com%2Fdefi-darling-yearn-finance-yfi-deployed-a-new-token-then-15m-was-stolen%2F

Regarding the 8 million USD given by the hacker, Andre Cronje released a tweet promising to use the funds to compensate users affected by the attack on tokens purchased before block height 10954410. Additionally, Andre Cronje stated that he will continue to complete the contract testing and development for Eminence, but will not use Twitter or the current Ethereum address for future projects.