Decentralized Finance (DeFi) protocol Yearn Finance, suffered an attack to the tune of $11.6 million on April 13 following a hacker’s minting of 1 quadrillion yUSDT after exploiting old Yearn Finance contract as per PeckShield report.
The loss of today's @iearnfinance yUSDT hack is ~$11.6m.
As mentioned earlier, the hacker exploits a bug in the misconfigured yUSDT – https://t.co/sYuEuiBhAo – to mint extremely huge amount of yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. Next, the minted yUSDT is… https://t.co/Qz3vwtbcot pic.twitter.com/UZf3TJNPMu
— PeckShield Inc. (@peckshield) April 13, 2023
Thereafter, the hacker successfully transferred 1,000 Ether worth almost $2 million to the crypto mixer Tornado Cash.
However, blockchain security firm PeckShield unraveled that the hacker swapped the yUSDT to other stablecoins. These include 61,000 Pax Dollar (USDP), 1.5 million TrueUSD (TUSD), and 1.79 million Binance USD.
Others include 1.2 million Tether (USDT), 2.58 million USD Coin (USDC), and 3 million in DAI.
Because of the development, PeckShield notified the DeFi protocols Aave and Yearn Finance as regards what transpired.
Hi @AaveAave @iearnfinance, you may want to take a look: https://t.co/61wSYHqwvs
— PeckShield Inc. (@peckshield) April 13, 2023
Thereafter, lending platform Yearn Finance remarked that the attack was limited to iearn, which was an outdated contract between Vaults V1 and V2. It further stated that the present Yearn Finance contract was not affected.
We're looking into an issue with iearn, an outdated contract from before Vaults v1 and v2.
This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols.
iearn is an immutable contract predating YFI, it was deprecated in 2020.
Vaults v1, with…
— yearn (@iearnfinance) April 13, 2023
The hack was carried out by exploiting a vulnerability in Yearn Finance’s v1 vault, which had not been in use for several months.
The hacker was able to deposit a small amount of DAI and borrow a much larger amount of yDAI, which was then swapped for yUSDT tokens. With this yUSDT, the hacker was able to mint an astronomical one quadrillion tokens.
Meanwhile, the liquidity protocol Aave acknowledged the hack and further stated that it does not have any impact on its Aave V1, V2 or V3.
We are aware of this transaction, and it did not have an impact on Aave V2 and Aave V3.
We are now confirming whether there is any impact on Aave V1, the oldest version of the protocol which has been frozen. We're monitoring the situation closely to ensure no further concerns. https://t.co/uM9wtLNJMl
— Aave (@AaveAave) April 13, 2023
Security of DeFi Protocols Amid Rising Attacks
There is a compelling need to fortify the security of decentralized finance (DeFi) protocols amid rising attacks.
While the hack was a significant setback for Yearn Finance, it highlights the importance of maintaining the security of smart contracts, particularly those that are no longer in use.
More than any other time, DeFi protocols must remain vigilant and conduct regular audits of all their contracts to prevent any potential exploits. Already, more than $320 million have been lost to hacks in 2023 according to the CertiK report.
Over $300M was lost in Q1 of this year.. so let's break it down
–#Euler Finance exploit.. what went wrong 📉
-90 exit scams totaling over $30m 🕵️
-Increase in phishing expeditions 🎣
-Legacy Financial system cracking? 🏦Full FREE report 👇https://t.co/Q2MiVXQYYK
— CertiK (@CertiK) April 7, 2023
It is important that users take steps to protect themselves by conducting thorough research on any protocol before investing, spreading their funds across multiple protocols, and keeping an eye out for any suspicious activity.
Storing assets in a hardware wallet, rather than on a centralized exchange, is also an essential measure to protect against theft.
Putting an end to increasing DeFi hacks requires collective efforts for the industry to grow and attract more users.
