A hacker used a bug in a “misconfigured yUSDT”

​DeFi protocol Yearn Finance’s losses from hacking total $11,6 million

13.04.2023 - 10:40


3 min

What’s new? On April 13, cybersecurity company PeckShield reported a DeFi protocol Yearn Finance exploit that caused the project to lose $11,6 million. The hacker used a bug in the “misconfigured yUSDT” to issue 1,2 quadrillion coins, using an initial deposit of $10 000. He exchanged the resulting yUSDT for other stablecoins: Dai (DAI), Tether (USDT), USD Coin (USDC), Binance USD (BUSD), and TruUSD (TUSD).

What else is known? Earlier it was thought that the exploit affected the DeFi protocol Aave v1, however, the project’s developers said that it was only used by the hacker to exchange tokens for the exploit.

Later, PeckShield analysts also clarified that the main reason had to do with the misconfiguration of yUSDT, not Aave.

Aave integrations lead Marc Zeller said the impact on the protocol was limited. He said v1 “has been frozen since Dec 2022, so no user can deposit or increase borrow size making issue unlikely but not impossible.”

The current assets of v1 are $18 million and the size of the Aave safety module is $382,50 million, Zeller said, adding that v2 and v3 Aave have not been affected.

On April 9, the SushiSwap exchange was hit by an exploit. The platform lost $3,3 million in ETH due to a smart contract error. On the same day, the South Korean exchange GDAC was hacked for almost $13 million. Hackers transferred from the platform’s hot wallet to an unknown address 23% of the total amount of digital assets stored on it.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy