Hacker drains $11.6m from Yearn Finance DeFi protocol

On 13 April, a hacker stole crypto assets worth $11.6m from Yearn Finance’s DeFi protocol through an exploit in the platform’s stablecoin contract — yUSDT. 

The loss of today’s @iearnfinance yUSDT hack is ~$11.6m.

As mentioned earlier, the hacker exploits a bug in the misconfigured yUSDT — https://t.co/sYuEuiBhAo — to mint extremely huge amount of yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. Next, the minted yUSDT is… https://t.co/Qz3vwtbcot pic.twitter.com/UZf3TJNPMu

— PeckShield Inc. (@peckshield) April 13, 2023

The primary cause of the error was a misconfiguration of yUSDT, which is an analogue «stablecoin» from Tether. 

According to PeckShield analysts, the hacker managed to mint more than 1.2 quadrillion yUSDT, using a deposit of 10 000 USDT. After that, he swapped the minted coins for other stablecoins, including DAI, USDT, USDC, BUSD, and TUSD.

The hacker used the first version of the Aave protocol to create a large array of swaps. However, the project team said the network itself was not affected.

We are aware of this transaction, and it did not have an impact on Aave V2 and Aave V3.

We are now confirming whether there is any impact on Aave V1, the oldest version of the protocol which has been frozen. We’re monitoring the situation closely to ensure no further concerns. https://t.co/uM9wtLNJMl

— Aave (@AaveAave) April 13, 2023

«We are aware of this transaction, and it did not affect Aave V2 and Aave V3. We are now assessing whether there is any impact on Aave V1, the oldest version of the protocol, which has been frozen. We are closely monitoring the situation to prevent any further issues», — wrote the developers. 

Representatives from Yearn Finance also said that an investigation has begun. They said the issue relates to “the outdated iearn protocol launched in 2020, and the liquidity pool.” The platform’s v2 vaults are safe.

We are aware of an issue that seems isolated to the iearn legacy protocol launched in 2020 and liquidity pool.

Yearn v2 vaults seem not to be impacted.

Yearn contributors are investigating.

Further comms to follow on main account. https://t.co/CKddWwjFj8

— Storm Blessed 0x ?? (@storming0x) April 13, 2023

Analysts at Nansen noted that the hacker has already moved the funds to three addresses in ETH, DAI, USDC and BUSD. 

The yUSDT exploiter has split their funds to 3 addresses with a total amount of $11.3 million in ETH, DAI, USDC, and BUSD

Check the exploiter’s transactions here: https://t.co/Vkctitu6ga pic.twitter.com/T4AuNxaZNg

— Nansen Portfolio (@nansenportfolio) April 13, 2023

In April, the DeFi protocol Terraport Finance on Terra Classic was subjected to $2 million hacker attack ten days after its official launch.

In the same month, CertiK analysts said that in Q1 2023 blockchain projects lost more than $320 million due to hacks and fraud.