Yearn Finance Suffers $11.6M Hack Through Aave V1 Protocol, Involving Misconfigured yUSDT Token
On April 13th, a suspicious transaction was detected by Peckshield, a DeFi technical auditing firm. Notably, two well-established projects in the decentralized finance market, Yearn Finance and Aave, were involved in this incident.
It appears the root cause is due to the misconfigured yUSDT, which is exploited to mint huge yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. The huge yUSDT is then cashed out by swapping to other stable coins. https://t.co/Qz3vwtbcot pic.twitter.com/xlsc2Nlmle
— PeckShield Inc. (@peckshield) April 13, 2023
Initial analysis suggested that this was an attack targeted at Yearn Finance, with funds being leveraged from Aave using a flash loan. However, some users were concerned that Aave may also be impacted as there were some strange actions related to its lending product. The transactions related to Aave were Repay transactions into the Core V1 pool of the product.
Marc Zeller, the representative of Aave, tweeted that Aave V1 has been frozen since December 2022, so it is unlikely that any users can deposit or increase their borrow size, making the issue unlikely but not impossible. Zeller also stated that the Aave team was aware of the situation and ongoing research was being conducted, with more information to be released when more clarity is available. A snapshot vote was also conducted to allow governance to decide on the offboard of V1.
V1 was discussed for offboarding with a snapshot vote stating in a few hours to allow governance to decide on the offboard.
So in any scenario, feel free to repay/withdraw your funds from V1 using the classic app : https://t.co/OQKPZMN3HPhttps://t.co/DeMupQ1dQg
— Marc Zeller 👻 💜 🦇🔊 (@lemiscate) April 13, 2023
In any scenario, users are free to repay or withdraw their funds from V1 using the classic app. The current size of V1 is $18M, while the current size of the Aave safety module is $382.50M. With further research, it was concluded that the impact on Aave V1 is likely to be null, and there will be zero impact on V2 and V3.
The white hat hacker Samczsun believes that the yUSDT version of Yearn has had a bug since the initial deployment. This version was misconfigured with the contract address mistakenly set to Fulcrum iUSDC instead of iUSDT.
It seems like the iearn USDT token (yUSDT) has been broken since deploy, which was *checks notes* over 1000 days ago. It was misconfigured to use the Fulcrum iUSDC token instead of the Fulcrum iUSDT token.https://t.co/FMtjACkGNz pic.twitter.com/dxW9E0ndF1
— samczsun (@samczsun) April 13, 2023
Currently, $10M has been withdrawn from Yearn Finance and is located in a wallet with the address “0x16A…74A5”. Meanwhile, the second wallet with the address “0x5ba…fE0” is still performing similar attacks.
Overall, this incident highlights the importance of constant vigilance in the DeFi space. While the impact on Aave V1 appears to be minimal, it is crucial to remain aware of potential vulnerabilities and take necessary precautions to safeguard user funds. The DeFi market continues to evolve rapidly, and it is essential for all participants to stay informed and up-to-date on the latest developments.
Read more:
- Hacker Had Drained All Liquidity Pools From Terraport Finance, Causing Losses Of $2 Million
- Are Arbitrum, Wintermute, Terra, FTX, And Alameda Related?