DeFi protocol Yearn Finance’s losses from hacking total $11,6 million
A hacker used a bug in a “misconfigured yUSDT”
13.04.2023 - 10:40
356
3 min
0
What’s new? On April 13, cybersecurity company PeckShield reported a DeFi protocol Yearn Finance exploit that caused the project to lose $11,6 million. The hacker used a bug in the “misconfigured yUSDT” to issue 1,2 quadrillion coins, using an initial deposit of $10 000. He exchanged the resulting yUSDT for other stablecoins: Dai (DAI), Tether (USDT), USD Coin (USDC), Binance USD (BUSD), and TruUSD (TUSD).
The loss of today's @iearnfinance yUSDT hack is ~$11.6m. As mentioned earlier, the hacker exploits a bug in the misconfigured yUSDT - https://t.co/sYuEuiBhAo - to mint extremely huge amount of yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. Next, the minted yUSDT is… https://t.co/Qz3vwtbcot pic.twitter.com/UZf3TJNPMu — PeckShield Inc. (@peckshield) April 13, 2023
What else is known? Earlier it was thought that the exploit affected the DeFi protocol Aave v1, however, the project’s developers said that it was only used by the hacker to exchange tokens for the exploit.
We're looking into an issue with iearn, an outdated contract from before Vaults v1 and v2.This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols.iearn is an immutable contract predating YFI, it was deprecated in 2020.Vaults v1, with… — yearn (@iearnfinance) April 13, 2023
Later, PeckShield analysts also clarified that the main reason had to do with the misconfiguration of yUSDT, not Aave.
We need to clarify that the root cause is due to misconfigured yUSDT, not related to @AaveAave. https://t.co/XjI9UhbOZf — PeckShield Inc. (@peckshield) April 13, 2023
Aave integrations lead Marc Zeller said the impact on the protocol was limited. He said v1 “has been frozen since Dec 2022, so no user can deposit or increase borrow size making issue unlikely but not impossible.”
The current assets of v1 are $18 million and the size of the Aave safety module is $382,50 million, Zeller said, adding that v2 and v3 Aave have not been affected.
Aave V1 has been frozen since Dec 2022, so no user can deposit or increase borrow size making issue unlikely but not impossible.We're aware of the situation and research is ongoing. More info when we have more clarity. — Marc Zeller 👻 💜 🦇🔊 (@lemiscate) April 13, 2023
On April 9, the SushiSwap exchange was hit by an exploit. The platform lost $3,3 million in ETH due to a smart contract error. On the same day, the South Korean exchange GDAC was hacked for almost $13 million. Hackers transferred from the platform’s hot wallet to an unknown address 23% of the total amount of digital assets stored on it.
Useful material?
Market
The leader was the Solana network, with 100 million active addresses per month
Oct 17, 2024
Crypto regulations
Amendments to the regulation of financial institutions have been published for public discussion until October 30
Oct 16, 2024
Market
Over the past four years, the company’s shares have grown by 1540%, while the index has gained only 111%
Oct 16, 2024
Incidents
Over the last 24 hours, the asset has updated its all-time high at $2,34
Oct 15, 2024
Market
The Bitnomial platform will try to challenge the SEC’s position on the status of the XRP token
Oct 11, 2024
Incidents
Law enforcers explained such a small sentence by the fact that Heather Morgan actively cooperated with the investigation and played a minor role in the crime
Oct 11, 2024