DeFi protocols Yearn Finance and Aave suffered exploitation to the tune of over $11 million owing to a misconfigured yUSDT, blockchain security expert Peckshield revealed.
Initially, the attack was thought to be limited to Aave V1, but later on-chain sleuths found that the protocol was instead exploited to mint huge yUSDT from a small $10K USDT.
The massive amount of yUSDT was then converted to other stablecoins and cashed out. So far, the flash loan exploiter stole millions worth of USDT, TUSD, BUSD, USDC, and DAI.
Shortly after that, Yearn Finance’s team issued a public statement as it continues its investigation.
We’re looking into an issue with iEarn, an outdated contract from before Vaults v1 and v2. This problem seems exclusive to iEarn and does not impact current Yearn contracts or protocols. iEarn is an immutable contract predating YFI, it was deprecated in 2020. Vaults v1, with upgradeable strategies, was also deprecated in 2021. There’s no indication it’s affected. The current version, Yearn v2 Vaults [written in Vyper], remains unaffected as well.
As further information came to light, different security analysts pointed out that the issue is still specific to the liquidity pool and the 2020-launched iEarn legacy protocol. Vaults for Yearn v2 don’t appear to be affected.
Voicing a similar opinion, White-hat hacker samczsun said, “It seems like the iEarn USDT token [yUSDT] has been broken since deployment, which was *checks notes* over 1000 days ago. It was misconfigured to use the Fulcrum iUSDC token instead of the Fulcrum iUSDT token.”
For those new, prominent Web3 developer Andre Cronje pioneered two DeFi projects — yEarn Finance and iEarn. Cronje renamed iEarn to Yearn Finance [YFI] in July 2020 after it showed success in yield aggregation.
Cyber experts have so far highlighted the vulnerability in Yearn’s predecessor’s contracts. Meanwhile, a similar incident of smart contract exploitation took place a few days back.
DeFi Protocol Sushi DEX Hack
Popular decentralized protocol Sushi DEX reported a loss of over $3 million due to a bug on the “RouterProcessor2” contract that is used to route trades on the SushiSwap exchange.
The issue seems to only impact customers who approved SushiSwap contracts in the previous four days, according to @0xngmi, a pseudonymous DefiLlama developer.
After the incident, SushiSwap chief developer Jared Grey requested users to remove access to any contracts on the platform as a security precaution.
Grey also assured that the team was “working with security teams to mitigate the issue.”