- The attacker exploited a misconfiguration in Yearn Finance’s yUSDT stablecoin.
- Aave V1 was previously believed to be impacted by the exploit but has since been cleared of any damage.
Decentralized finance protocol Yearn Finance fell victim to an exploit earlier today that saw the hacker make away with millions of dollars worth of crypto assets. Data gathered by blockchain security firms revealed that the attacker was able to drain more than $11 million worth of stablecoins from Yearn Finance.
According to PeckShield Inc, the exploit occurred this morning on an early version of Yearn Finance called iearn. Early reports suggested that Yearn and fellow DeFi protocol Aave were impacted by the attack. However, Aave took to Twitter after the hack to confirm that contrary to what was being claimed, Aave V1 was not impacted by the exploit.
Blockchain security firms scrambled to find the root cause of the exploit and subsequently identified Yearn Finance’s misconfigured stablecoin yUSDT as the root vulnerability. Peckshield’s investigation revealed that the hacker exploited this vulnerability to mint a significant amount of yUSDT, 1,252,660,242,212,927.5 to be precise, using just 10,000 USDT. The newly minted yUSDT were cashed out using other dollar-pegged stablecoins.
On-chain analytics firm Lookonchain revealed that the hacker’s loot included 3.03 million DAI, 2.5 million USDC, 1.7 million BUSD, 1.5 million TUSD, and 1.1 million USDT. In a message to its Twitter community, Yearn Finance stated that the impact of the exploit was limited to iearn, an outdated contract that was deprecated in 2020. Yearn V2 Vaults are reportedly unaffected.
The exploit had a considerable impact on the tokens associated with Yearn Finance and Aave. AAVE experienced a relatively small decrease of 2.15% in its price, which was subsequently restored. Yearn Finance’s YFI token, on the other hand, tanked 4.6%, reaching as low as $8,942, before recovering to $9,175.