​DeFi protocol Yearn Finance’s losses from hacking total $11,6 million

What’s new? On April 13, cybersecurity company PeckShield reported a DeFi protocol Yearn Finance exploit that caused the project to lose $11,6 million. The hacker used a bug in the “misconfigured yUSDT” to issue 1,2 quadrillion coins, using an initial deposit of $10 000. He exchanged the resulting yUSDT for other stablecoins: Dai (DAI), Tether (USDT), USD Coin (USDC), Binance USD (BUSD), and TruUSD (TUSD).

The loss of today's @iearnfinance yUSDT hack is ~$11.6m. As mentioned earlier, the hacker exploits a bug in the misconfigured yUSDT - https://t.co/sYuEuiBhAo - to mint extremely huge amount of yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. Next, the minted yUSDT is… https://t.co/Qz3vwtbcot pic.twitter.com/UZf3TJNPMu — PeckShield Inc. (@peckshield) April 13, 2023

What else is known? Earlier it was thought that the exploit affected the DeFi protocol Aave v1, however, the project’s developers said that it was only used by the hacker to exchange tokens for the exploit.

We're looking into an issue with iearn, an outdated contract from before Vaults v1 and v2.This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols.iearn is an immutable contract predating YFI, it was deprecated in 2020.Vaults v1, with… — yearn (@iearnfinance) April 13, 2023

Later, PeckShield analysts also clarified that the main reason had to do with the misconfiguration of yUSDT, not Aave.

We need to clarify that the root cause is due to misconfigured yUSDT, not related to @AaveAave. https://t.co/XjI9UhbOZf — PeckShield Inc. (@peckshield) April 13, 2023

Aave integrations lead Marc Zeller said the impact on the protocol was limited. He said v1 “has been frozen since Dec 2022, so no user can deposit or increase borrow size making issue unlikely but not impossible.”

The current assets of v1 are $18 million and the size of the Aave safety module is $382,50 million, Zeller said, adding that v2 and v3 Aave have not been affected.

Aave V1 has been frozen since Dec 2022, so no user can deposit or increase borrow size making issue unlikely but not impossible.We're aware of the situation and research is ongoing. More info when we have more clarity. — Marc Zeller 👻 💜 🦇🔊 (@lemiscate) April 13, 2023

On April 9, the SushiSwap exchange was hit by an exploit. The platform lost $3,3 million in ETH due to a smart contract error. On the same day, the South Korean exchange GDAC was hacked for almost $13 million. Hackers transferred from the platform’s hot wallet to an unknown address 23% of the total amount of digital assets stored on it.