DeFi Aggregator Yearn Finance Suffers $11.6M Flash Loan Attack

The money stolen in DeFi hacks continues to grow as decentralized Finance (DeFi) aggregator Yearn Finance has become the latest victim of an $11.6 million flash loan attack involving Aave protocol.

The blockchain security firm PeckShield first alerted the Yearn Finance and Aave teams on Thursday, April 13. According to the firm, the hacker exploited a bug in the token issued on Yearn Finance to launch a flash loan attack on the platform.

Hi @AaveAave @iearnfinance, you may want to take a look: https://t.co/61wSYHqwvs

— PeckShield Inc. (@peckshield) April 13, 2023

Misconfigured Yellow Tether (yUSDT) is the Culprit

Per the PeckShield report, the perpetrator exploited a misconfigured Yellow Tether (yUSDT) contract to mint a large amount of yUSDT from just $10K USDT. He then swapped these tokens for other stablecoins. PeckShield estimated the total stolen worth to $11.6 million as they declared on their twitter,

The loss of today's @iearnfinance yUSDT hack is ~$11.6m.

As mentioned earlier, the hacker exploits a bug in the misconfigured yUSDT – https://t.co/sYuEuiBhAo – to mint extremely huge amount of yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. Next, the minted yUSDT is… https://t.co/Qz3vwtbcot pic.twitter.com/UZf3TJNPMu

— PeckShield Inc. (@peckshield) April 13, 2023

In the initial alert, PeckShield also mentioned the Aave DeFi protocol. Aave V1 was previously thought to be affected by the exploit. However, the protocol developer later confirmed that the exploit had not impacted Aave V1. The attacker only used the Aave protocol to swap stolen tokens, which the security firm later confirmed.

“We need to clarify that the root cause is due to misconfigured yUSDT, not related to Aave,” PeckShield said in a follow-up tweet.”

Ronin experienced a breach when the attacker was able to get control of four validator nodes and one third-party validator run by Axie DAO.

The Yearn Finance team also confirmed the incident and highlighted that the current protocol version V2 was unaffected. The attack only involves iearn, a predecessor to Yearn Finance developed by Andre Cronje in 2020. The protocol said on the following tweet,

“We’re looking into an issue with iearn, an outdated contract from before Vaults v1 and v2. This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols. iearn is an immutable contract predating YFI, it was deprecated in 2020. Vaults v1, with upgradeable strategies, was also deprecated in 2021. There’s no indication it’s affected. The current version, Yearn v2 Vaults (written in Vyper), remains unaffected as well. Stay tuned for updates as our team investigates further.”

We're looking into an issue with iearn, an outdated contract from before Vaults v1 and v2.

This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols.

iearn is an immutable contract predating YFI, it was deprecated in 2020.

Vaults v1, with…

— yearn (@iearnfinance) April 13, 2023

Lookonchain’s data suggest that the exploiter may have managed to rake in more than $10 million in 3,032,142 $DAI, 2,579,483 $USDC, 1,785,091 $BUSD, 1,512,528 $TUSD, 1,193,756 $USDT.

The DeFi hacks are no way near to an end. Stories of hacks and exploits have been rampant this year. Rough estimates say that DeFi hackers stole $211.5 million worth of cryptocurrencies in March through 26 attacks, nearly ten times the $21 million stolen in February in 7 security incidents.