Critical vulnerability found in new DeFi protocol from yEarn.Finance founder

An exploit detected in the smart contract of the DeFi project yCredit, launched yesterday, allows draining all user funds, according to blockchain developer Nour Haridy.

IMPORTANT

The yCredit contract is vulnerable to an economic attack that can cause loss of all user funds.

If you deposited into the contract using Etherscan or bought yCredit on Sushiswap, withdraw or sell it immediately.

I’ll publish the exploit after all funds are withdrawn.

— nour (@NourHaridy) January 1, 2021

The creator of yEarn.Finance, André Cronje unveiled a new project on December 31. The yCredit platform allows depositing ERC-20 tokens and borrowing yCredit coins equalling 99.5% of the deposited amount.

Haridy described the project as "super-ambitious" and "pushing the boundaries of capital efficiency." However, he urged users to withdraw all funds, warning that it is only a matter of time before someone exploits the vulnerability he uncovered.

Developer Ivan Martinez, with whom Haridy shared the discovery, confirmed that the exploit works. Martinez said someone has already exploited a different attack vector against yCredit.

Someone used a different attack vector on yCredit than what @NourHaridy discovered. https://t.co/cer3GtUzHp

Makes you think, would an audit capture these? What if Andre puts just enough of his own funds to make exploiting attractive? Maybe its even cheaper/faster vs. an audit 🤔

— Ivan Martinez (@0xKiwi_) January 2, 2021

Presenting the project, Cronje noted that the yCredit protocol is in an experimental stage and users participate at their own risk.

Earlier in September, an unknown withdrew user assets worth about $15 million from André Cronje’s Eminence, a DeFi project built for testing.

Subscribe to ForkLog news on Telegram: ForkLog Feed — full news coverage, ForkLog — the most important news and polls.