Yearn Finance Urges Caution as Legacy Contract Bug Drains Multiple Pools

  • A bug drained multiple Curve pools, impacting liquidity providers.
  • Previously, a bug in the Sushi Swap system resulted in a $3.3M loss.

The decentralized finance (DeFi) platform, Yearn Finance, has announced that it is investigating an issue with an outdated contract called iEarn, which predated more recent versions such as Vaults v1 and v2.

According to the notification on Thursday, the issue is exclusive to iEarn and does not affect current Yearn contracts or protocols. Yearn Finance said Vaults v1, which had upgradeable strategies, was obsoleted in 2021, but there was no indication that it has been affected, as well as the current version, Yearn v2 Vaults.

However, Yearn Finance later realized that the recent exploit was caused by a bug in the legacy iEarn USDT (yUSDT) token contract. According to the official update, the bug persisted in several versions and led to multiple Curve pools, including BUSD and PAX, to be exploited and drained.

Liquidity providers who deposited their LP tokens into downstream protocols, such as users of the Yearn v2 and legacy v1, were impacted. While Yearn Finance’s team investigates the issue, DeFi users are urged to remain cautious and vigilant, particularly when dealing with older contracts.

Last week, the blockchain security firm PeckShield revealed that a bug in the approval system of SushiSwap’s RouterProcessor2 contract has led to the loss of more than 1,800 Ethereum tokens worth over $3.3 million.

Notably, the hack affected several chains, including Ethereum and Binance Smart Chain; PeckShield listed the affected addresses and advised users to revoke contract approvals.

Notably, a Smart Contract audit firm was able to block an attack transaction, rescuing 100 Ether, equivalent to nearly $200,000.

Related Articles

Back to top button