Cryptocurrencies, blockchain, NFT and new trends

Exploit involving early version of Yearn Finance saw damages of $11.6 million: PeckShield

Crypto Ecosystems • April 13, 2023, 2:57AM EDT

Quick Take

  • PeckShield said the size of the hack was $11.6 million.
  • It appears to involve a misconfigured token created by an early version of Yearn Finance.

Stay updated on Pro Crypto Ecosystems news by locking ACS tokens with The Block.

Connect/Create Wallet You can unlock at any time.*
No wallet? No problem. You can set one up for free. We recommend Torus for first-time users.
*a 2% locking fee will be added at the time of locking. Learn more about Access Protocol

An exploit involving an early version of the DeFi protocol Yearn Finance, called iearn, took place earlier today, causing damages of $11.6 million, according to PeckShield.

The exploiter received a mix of stablecoins, including DAI, USDC, BUSD, TUSD and USDT, according to LookOnChain.

Broken for three years

Pseudonymous crypto researcher Samczsun claimed that Yearn Finance’s version of USDT, called yUSDT, has been broken since it was deployed around three years ago. He said it was “misconfigured to use the Fulcrum iUSDC token instead of the Fulcrum iUSDT token.”

PeckShield corroborated this idea. It said that the root cause appears to be the misconfigured yUSDT. This was exploited to mint 1.2 quadrillion yUSDT from just $10,000. This was then cashed out by swapping to other stablecoins.

We are aware of an issue that seems isolated to the iearn legacy protocol launched in 2020 and liquidity pool,” said Yearn Finance contributor Storm Blessed 0x on Twitter. “Yearn v2 vaults seem not to be impacted. Yearn contributors are investigating.”

Aave V1 used but wasn’t exploited

The attack used the Aave V1 protocol in making a large array of swaps but the Aave team said that it wasn’t exploited.

We can confirm that Aave V1 was not impacted,” said Aave CEO Stani Kulechov on Twitter.

“We need to clarify that the root cause is due to misconfigured yUSDT, not related to Aave,” added PeckShield.

This story has been updated to show how the exploit took place, which protocols it affected and with PeckShield’s latest estimate on the size of the hack.