High-risk DeFi speculators have lost $15 million in a rapid rise and fall of an unreleased NFT game called Eminence.

Eminence Finance (ticker EMN) is an unreleased project under construction by yearn‘s Andre Cronje. Its smart contracts were deployed without announcement last night and quickly discovered by the community.

Despite almost zero information being available on the project, speculators surged into the token manually by interacting with the contracts, with $15 million of funds being used to mint EMN tokens in a matter of hours.

It didn’t take long, however, for the untested, unaudited code to be exploited by an attacker, who swept the contract clean of the 15M DAI invested. The hacker has graciously sent half of the funds totalling ~8M DAI back to the yearn deployer address, used to partially reimburse affected accounts.

Image credit of Banteg.

Where did the project come from?

According to a Tweet by Cronje following the attack, the project is a DeFi-based game which was not due to be released for another 3 weeks or more.

It was suggested by one Twitter user, IslandKiyo, that the game was likely a joint effort between Cronje and a 2018 Kickstarter project called Eminence: Xander’s Tales, which appears to share the same name and branding. The original game was a card-collecting role-playing game, which proposed a virtual world and an in-game currency.

Aside from an Eminence Twitter page with a single post (retweeted by Cronje himself without context), no other details about the project were made available in the public eye – no website, no discussion groups, and no documentation.

Community members, however, noticed the deployment of the game’s contracts from the yearn.finance contract deployer address, and jumped at the chance to get in first on a new YFI-related project.

EMN trading frenzy

News of the project – still lacking hard evidence of any project details – rapidly spread across social media.

Tech-savvy users began to purchase EMN tokens manually via Etherscan, paying with Dai. Liquidity did not take long to hit decentralized exchange Uniswap, which just as quickly became swarmed with traders.

The Uniswap EMN-ETH market has reached almost $12M worth of trading volume at the time this was written.

EMN Exploit

The fun didn’t last long, as an attacker swiftly found an exploit in the project which enabled them to mint themselves billions of tokens – all funded with a flash-loan.

The attacker then dumped the tokens via the Eminence smart contract , sweeping the contract clean of 15M DAI.

Surprisingly, the attacker followed this by returning $8 million of the stolen funds to Andre Cronje’s Ethereum address, unprompted.

What happens now?

Upon being awoken by messages related to the debacle, Cronje has sent the $8 million in returned funds to the Yearn treasury. From there, he has decided that the funds will be returned to EMN holders using a snapshot of balances before the attack took place.

This will equate to approximately a 50% refund for EMN holders before the attack.

He has also stated that he will continue to build the project and deploy test contracts, which are likely to contain vulnerabilities.

If one thing is for sure, EMN serves as a valuable lesson to DeFi traders who have become comfortable with YOLO’ing into the hottest new token. Thankfully, 50% of funds are being returned. While it’s unlikely, hopefully EMN can serve a lesson to always DYOR before investing in unaudited, unverified contracts.

To stay up on Eminence, follow the project on Twitter.