DeFi protocol Yearn Finance’s losses from hacking total $11,6 million
A hacker used a bug in a “misconfigured yUSDT”
![DeFi protocol Yearn Finance’s losses from hacking total $11,6 million](https://storage.getblock.net/source/1/dd0NL8Z0Szzosg8Lzp3qN5LHe6pezoFC.webp)
13.04.2023 - 10:40
323
3 min
0
What’s new? On April 13, cybersecurity company PeckShield reported a DeFi protocol Yearn Finance exploit that caused the project to lose $11,6 million. The hacker used a bug in the “misconfigured yUSDT” to issue 1,2 quadrillion coins, using an initial deposit of $10 000. He exchanged the resulting yUSDT for other stablecoins: Dai (DAI), Tether (USDT), USD Coin (USDC), Binance USD (BUSD), and TruUSD (TUSD).
The loss of today's @iearnfinance yUSDT hack is ~$11.6m. As mentioned earlier, the hacker exploits a bug in the misconfigured yUSDT - https://t.co/sYuEuiBhAo - to mint extremely huge amount of yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. Next, the minted yUSDT is… https://t.co/Qz3vwtbcot pic.twitter.com/UZf3TJNPMu — PeckShield Inc. (@peckshield) April 13, 2023
What else is known? Earlier it was thought that the exploit affected the DeFi protocol Aave v1, however, the project’s developers said that it was only used by the hacker to exchange tokens for the exploit.
We're looking into an issue with iearn, an outdated contract from before Vaults v1 and v2.This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols.iearn is an immutable contract predating YFI, it was deprecated in 2020.Vaults v1, with… — yearn (@iearnfinance) April 13, 2023
Later, PeckShield analysts also clarified that the main reason had to do with the misconfiguration of yUSDT, not Aave.
We need to clarify that the root cause is due to misconfigured yUSDT, not related to @AaveAave. https://t.co/XjI9UhbOZf — PeckShield Inc. (@peckshield) April 13, 2023
Aave integrations lead Marc Zeller said the impact on the protocol was limited. He said v1 “has been frozen since Dec 2022, so no user can deposit or increase borrow size making issue unlikely but not impossible.”
The current assets of v1 are $18 million and the size of the Aave safety module is $382,50 million, Zeller said, adding that v2 and v3 Aave have not been affected.
Aave V1 has been frozen since Dec 2022, so no user can deposit or increase borrow size making issue unlikely but not impossible.We're aware of the situation and research is ongoing. More info when we have more clarity. — Marc Zeller 👻 💜 🦇🔊 (@lemiscate) April 13, 2023
On April 9, the SushiSwap exchange was hit by an exploit. The platform lost $3,3 million in ETH due to a smart contract error. On the same day, the South Korean exchange GDAC was hacked for almost $13 million. Hackers transferred from the platform’s hot wallet to an unknown address 23% of the total amount of digital assets stored on it.
Useful material?
Market
Australia’s largest financial institutions have refused to process payments to digital asset trading platforms due to the risk of fraud
Jul 26, 2024
Politics
According to the politician, the value of the country’s bitcoin reserves should equal the value of gold reserves
Jul 26, 2024
Mining
The capacity of the Bitaxe device used by the network participant is only 500 Gh/s
Jul 25, 2024
Trends
Meanwhile, Trump-inspired assets have not shown significant growth
Jul 22, 2024
Market
The fee will be as much as 2,5% compared to 0,25-0,19% for competitors
Jul 18, 2024
Market
This is the third consecutive month of decline
Jul 18, 2024