DeFi protocol Yearn Finance’s losses from hacking total $11,6 million
A hacker used a bug in a “misconfigured yUSDT”
13.04.2023 - 10:40
432
3 min
0
What’s new? On April 13, cybersecurity company PeckShield reported a DeFi protocol Yearn Finance exploit that caused the project to lose $11,6 million. The hacker used a bug in the “misconfigured yUSDT” to issue 1,2 quadrillion coins, using an initial deposit of $10 000. He exchanged the resulting yUSDT for other stablecoins: Dai (DAI), Tether (USDT), USD Coin (USDC), Binance USD (BUSD), and TruUSD (TUSD).
The loss of today's @iearnfinance yUSDT hack is ~$11.6m. As mentioned earlier, the hacker exploits a bug in the misconfigured yUSDT - https://t.co/sYuEuiBhAo - to mint extremely huge amount of yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. Next, the minted yUSDT is… https://t.co/Qz3vwtbcot pic.twitter.com/UZf3TJNPMu — PeckShield Inc. (@peckshield) April 13, 2023
What else is known? Earlier it was thought that the exploit affected the DeFi protocol Aave v1, however, the project’s developers said that it was only used by the hacker to exchange tokens for the exploit.
We're looking into an issue with iearn, an outdated contract from before Vaults v1 and v2.This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols.iearn is an immutable contract predating YFI, it was deprecated in 2020.Vaults v1, with… — yearn (@iearnfinance) April 13, 2023
Later, PeckShield analysts also clarified that the main reason had to do with the misconfiguration of yUSDT, not Aave.
We need to clarify that the root cause is due to misconfigured yUSDT, not related to @AaveAave. https://t.co/XjI9UhbOZf — PeckShield Inc. (@peckshield) April 13, 2023
Aave integrations lead Marc Zeller said the impact on the protocol was limited. He said v1 “has been frozen since Dec 2022, so no user can deposit or increase borrow size making issue unlikely but not impossible.”
The current assets of v1 are $18 million and the size of the Aave safety module is $382,50 million, Zeller said, adding that v2 and v3 Aave have not been affected.
Aave V1 has been frozen since Dec 2022, so no user can deposit or increase borrow size making issue unlikely but not impossible.We're aware of the situation and research is ongoing. More info when we have more clarity. — Marc Zeller 👻 💜 🦇🔊 (@lemiscate) April 13, 2023
On April 9, the SushiSwap exchange was hit by an exploit. The platform lost $3,3 million in ETH due to a smart contract error. On the same day, the South Korean exchange GDAC was hacked for almost $13 million. Hackers transferred from the platform’s hot wallet to an unknown address 23% of the total amount of digital assets stored on it.
Useful material?
Market
Due to supply shortages, the asset’s pre-market exchange rate was climbing above $1000
Dec 16, 2024
Incidents
Reports about the hacking of the exchange with calls to withdraw assets began to spread on December 13
Dec 13, 2024
Crypto regulations
Stablecoins from issuer Circle will not be affected by the changes
Dec 12, 2024
Crypto regulations
The platform will launch after meeting the preconditions of the local exchange authority
Dec 9, 2024
Market
The $1,1 billion figure was reached after the bitcoin correction
Dec 6, 2024
Crypto regulations
By early January, all open positions and loans of local users will be closed and repaid automatically
Dec 5, 2024