Yearn Finance Hacked For Over $100M In Stablecoins

Key Takeaways:

• DeFi protocols Yearn Finance and Aave were affected by a vulnerability today, according to PeckShield.

• The exploit seems to involve a token that was generated by an early version of Yearn Finance but was misconfigured.

Security company PeckShield reported this morning that an exploit this morning affected a fault in a token produced by the decentralised finance (DeFi) system Yearn Finance, resulting in millions of dollars in losses.

The analysis indicated that losses on Ave version 1 may have exceeded $11 million. These were distributed among the stablecoins dai (DAI), tether (USDT), USD Coin (USDC), binance USD (BUSD), and tru USD (TUSD) that are pegged to the US dollar.

According to Peckshield, the misconfigured yUSDT, which is exploited to create enormous yUSDT (1,252,660,242,212,927.5) from a meagre $10K USDT, is the real cause of the exploit and not Aave. Peckshield said, “The enormous yUSDT is then cashed out by swapping to other stablecoins.”

Hi @AaveAave @iearnfinance, you may want to take a look: https://t.co/61wSYHqwvs

— PeckShield Inc. (@peckshield) April 13, 2023

No user can deposit or raise borrow size, says Aave Chan founder Marc Zeller, making the problem unlikely but not impossible. He also disclosed that the size of V1 is currently $18 million, while the size of the Aave safety module is currently $382.50 million.

Aave V1 has been frozen since Dec 2022, so no user can deposit or increase borrow size making issue unlikely but not impossible.

We're aware of the situation and research is ongoing. More info when we have more clarity.

— Marc Zeller ???? ???? ???????? (@lemiscate) April 13, 2023

According to senior developer Storm Blessed 0x of the project, only earlier versions of Yearn were exploited, hence the damage was minimal.

We are aware of an issue that seems isolated to the iearn legacy protocol launched in 2020 and liquidity pool.

Yearn v2 vaults seem not to be impacted.

Yearn contributors are investigating.

Further comms to follow on main account. https://t.co/CKddWwjFj8

— Storm Blessed 0x ???????? (@storming0x) April 13, 2023

As per PeckShield, the attackers have already begun extracting ETH through the Ethereum mixer Tornado Cash, having done so with 1,000 ETH totaling about $1.9 million.

The deployment of one of the first Yearn vaults, which accept deposits of tether (USDT), which are converted into Yearn-equivalent tokens, had a flaw that the attacker was able to exploit.

It is important to note that, since the centralised stablecoins from Circle and Tether can more easily be frozen, stopping future transfer, hackers favour DAI and ETH over USDC and USDT.

Aave recognised the exploit and noted that Aave V2 and Aave V3 were unaffected. According to the DeFi platform, the team is currently ascertaining whether Aave V1, the oldest version of the protocol that has been frozen, is affected in any way. 
There have already been numerous breaches in 2023, with major DeFi systems becoming the primary victims. SushiSwap recently suffered a $3.3 million vulnerability caused by an approval-related flaw in its RouterProcessor2 contract.