On Thursday, blockchain security firm PeckShield detected an exploit on a token issued by DeFi protocol Yearn Finance.
The loss of today's @iearnfinance yUSDT hack is ~$11.6m.
As mentioned earlier, the hacker exploits a bug in the misconfigured yUSDT – https://t.co/sYuEuiBhAo – to mint extremely huge amount of yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. Next, the minted yUSDT is… https://t.co/Qz3vwtbcot pic.twitter.com/UZf3TJNPMu
— PeckShield Inc. (@peckshield) April 13, 2023
A misconfigured yUSDT contract enabled the hackers to mint more than 1 quadrillion tokens from just $10,000 worth of USDT. In total, they drained over $11 million worth of crypto in the exploit, which included 61,000 USDP, 1.5 million TUSD, 1.79 million BUSD, 1.2 million USDT, 2.58 million USDC and 3 million DAI.
On-chain data shows that the hackers have already sent 1000 ETH to Tornado Cash, worth around $1.9 million at the time of writing.
The contract was attacked in two consecutive transactions, with the exploiters emptying the interest rate of Aave v1 in the first transaction, and then transferring USDC held in the Fulcrum strategy pool to yUSDT/ycUSDT. This triggered a rebalance, which caused the yUSDT/ycUSDT to retrieve a significant amount of USDC, thinking its balance was zero.
Yearn Finance said that the vulnerability was isolated to an outdated contract before vaults 1 and 2 were introduced.
“This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols. iearn is an immutable contract predating YFI, it was deprecated in 2020,” said the Yearn team.
The yUSDT contract has been vulnerable since it was first deployed, more than three years ago.
Aave also confirmed that it was aware of the transaction, but it did not have an impact on Aave v1, or the newer, more current versions of the protocol Aave v2 and v3.
Interestingly, the exploit actually benefited some users, because the exploiters paid back those with USDT debt on Aave v1.