The decentralized finance community was rocked on September 29, 2020, by the news that Eminence.Finance — an unfinished DeFi protocol created by Yearn.Finance founder Andre Cronje — had been exploited for $15 million. The incident laid bare the risks of the “test in production” culture that had become prevalent in the DeFi space and triggered a wave of soul-searching among investors and developers alike.
TL;DR
- Eminence.Finance, an unaudited DeFi protocol by YFI founder Andre Cronje, was exploited for $15 million
- The attacker used a flash loan to mint EMN tokens at a tight bonding curve, then drained liquidity pools
- $8 million was mysteriously returned to Cronje’s yearn.finance developer account by the hacker
- Cronje announced refunds based on a pre-hack snapshot but received death threats, leading him to leave Twitter
- The exploit highlights the dangers of investing in unaudited, unfinished smart contracts
Eminence was envisioned as a new in-game economy for a gaming multiverse, built on Ethereum. Cronje, whose Yearn.Finance protocol had become one of the most successful DeFi projects of 2020, had deployed early versions of the Eminence smart contracts on Uniswap as part of his well-known “test in prod” development process. He had publicly stated the project was “at least +3 weeks away” from completion and that the contracts were neither final nor audited.
How the Exploit Unfolded
Despite Cronje’s clear warnings about the unfinished state of the project, DeFi investors — often referred to as “degens” — began pouring funds into the Eminence contracts in anticipation of another Yearn-like success story. While Cronje was away, users flocked to the protocol, choosing factions within the planned gaming ecosystem and depositing assets into the liquidity pools.
A hacker seized the opportunity, exploiting the unaudited smart contracts using a flash loan attack. The method was deceptively simple: the attacker minted a large quantity of EMN tokens at the tight end of the bonding curve, then burned the EMN for other currencies within the protocol, and finally sold those currencies back for EMN at a profit. This cyclic exploitation drained approximately $15 million worth of deposited assets from the protocol.
A Partial Refund from an Unexpected Source
In an unusual twist, the hacker returned $8 million to Andre Cronje’s personal yearn.finance developer wallet. The motivation behind this partial refund remains unclear. Cronje publicly acknowledged the returned funds and committed to distributing them back to affected holders based on a pre-hack snapshot.
“As I am receiving a fair amount of threats, I have asked yearn treasury to assist with refunding the 8m the hacker sent. The multisig is safer and as such I feel more comfortable with them having the funds,” Cronje wrote on Twitter on September 29. “Funds will be returned to holders pre-hack snapshot.”
Cronje Faces Threats, Exits Twitter
The aftermath of the exploit turned ugly quickly. Cronje, who had built significant goodwill in the DeFi community through the success of Yearn.Finance, found himself on the receiving end of death threats from investors who had lost money in the Eminence exploit. The pressure prompted him to deactivate his Twitter account on September 29, leaving the community without one of its most prominent voices.
The incident prompted a broader discussion about the responsibilities of developers in the DeFi space. While Cronje had been transparent about the unfinished nature of the contracts, the culture of rushing into unaudited protocols — hoping to get in early on the next YFI — had led many investors to ignore clear warnings.
A Pattern of DeFi Exploits
The Eminence exploit came just days after the KuCoin exchange hack on September 25, where over $275 million in cryptocurrency was stolen from the Singapore-based exchange’s hot wallets. Together, the two incidents underscored the security challenges facing both centralized and decentralized corners of the cryptocurrency market in late September 2020.
With DeFi’s total value locked having ballooned to $11 billion, the sector’s rapid growth was attracting not just investors but also sophisticated attackers. The Eminence incident served as a costly reminder that in the world of decentralized finance, the line between innovation and exploitation can be razor-thin.
Why This Matters
The Eminence exploit is a cautionary tale about the intersection of developer experimentation and investor speculation in DeFi. Cronje’s “test in prod” approach, while innovative, created an environment where users could — and did — invest real money into unfinished products. The $15 million loss highlights the critical importance of smart contract audits and the need for investors to exercise greater due diligence before depositing funds into unaudited protocols. As DeFi continues to grow, the tension between rapid innovation and security will remain one of the sector’s defining challenges.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always do your own research before making any investment decisions. Cryptocurrency investments carry significant risk.
andre literally said the contracts were 3+ weeks away from being done and degens still aped in. every time
death threats over an unaudited contract he told everyone not to use. this community has a real toxicity problem
the hacker returning $8M is still one of the weirdest things in defi history. no explanation ever came out
flash loan attacks were becoming a weekly thing by late 2020. the bonding curve exploit pattern was so simple in hindsight