The money stolen in DeFi hacks continues to grow as decentralized Finance (DeFi) aggregator Yearn Finance has become the latest victim of an $11.6 million flash loan attack involving Aave protocol.
The blockchain security firm PeckShield first alerted the Yearn Finance and Aave teams on Thursday, April 13. According to the firm, the hacker exploited a bug in the token issued on Yearn Finance to launch a flash loan attack on the platform.
Misconfigured Yellow Tether (yUSDT) is the Culprit
Per the PeckShield report, the perpetrator exploited a misconfigured Yellow Tether (yUSDT) contract to mint a large amount of yUSDT from just $10K USDT. He then swapped these tokens for other stablecoins. PeckShield estimated the total stolen worth to $11.6 million as they declared on their twitter,
In the initial alert, PeckShield also mentioned the Aave DeFi protocol. Aave V1 was previously thought to be affected by the exploit. However, the protocol developer later confirmed that the exploit had not impacted Aave V1. The attacker only used the Aave protocol to swap stolen tokens, which the security firm later confirmed.
“We need to clarify that the root cause is due to misconfigured yUSDT, not related to Aave,” PeckShield said in a follow-up tweet.”
Ronin experienced a breach when the attacker was able to get control of four validator nodes and one third-party validator run by Axie DAO.
The Yearn Finance team also confirmed the incident and highlighted that the current protocol version V2 was unaffected. The attack only involves iearn, a predecessor to Yearn Finance developed by Andre Cronje in 2020. The protocol said on the following tweet,
“We’re looking into an issue with iearn, an outdated contract from before Vaults v1 and v2. This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols. iearn is an immutable contract predating YFI, it was deprecated in 2020. Vaults v1, with upgradeable strategies, was also deprecated in 2021. There’s no indication it’s affected. The current version, Yearn v2 Vaults (written in Vyper), remains unaffected as well. Stay tuned for updates as our team investigates further.”
Lookonchain’s data suggest that the exploiter may have managed to rake in more than $10 million in 3,032,142 $DAI, 2,579,483 $USDC, 1,785,091 $BUSD, 1,512,528 $TUSD, 1,193,756 $USDT.
The DeFi hacks are no way near to an end. Stories of hacks and exploits have been rampant this year. Rough estimates say that DeFi hackers stole $211.5 million worth of cryptocurrencies in March through 26 attacks, nearly ten times the $21 million stolen in February in 7 security incidents.
