Iearn.Finance users dodged a bullet yesterday with the LendfMe hack

Programmatic yield chasers like Iearn.Finance and Idle.Finance have become popular with the rise of the defi economy on ethereum.

What better hands-off way to earn passive income than to have your stabelcoins automatically moved to the defi protocol with the highest interest rate, right?

Sound good in theory, but in practice these services multiply the risks as your funds are spread out over multiple protocols instead of one. So the attack surface and tail risk actually increases.

When I learned of the LendfMe/dForce hack on Twitter yesterday, one of the first things that came to mind was seeing dForce interest rates displayed in the Iearn dashboard the last time I used the service.

Luckily for every single depositor of Iearn, the developer Andre Cronje never enabled dForce. The interest rates displayed were only for information purposes.

So why was dForce never enabled?

Well.....until yesterday, a large portion of the defi community was still not aware of the fact that LendfMe/DForce is a copy-paste clone of Compound V1, despite major news outlets like TheBlock reporting on it. https://www.theblockcrypto.com/daily/54389/vc-backed-compound-is-alleging-that-a-fast-growing-defi-startup-stole-its-code-the-dispute-raises-questions-about-what-open-source-actually-means

A few months ago, Compound's legal team went on the offensive and told developers that anyone integrating dForce would have a legal liability. The following screencap was taken by myself on the Curve Telegram channel. (Curve uses Iearn's Y tokens on their protocol https://y.curve.fi)

This prevented dForce being enabled on Iearn!

Had this not taken place, Iearn depositors would have lost millions yesterday when LendfMe was drained by an imBTC ERC777 exploit.

If you are going to use a yield-chasing service, you need to know all the underlying protocols being used and the risks with each one.

---

Posted via Steemleo