Key Points:
An attack using a defect in a Yearn Finance token leads to millions of dollars in damages.
However, Yearn V2 was not affected by the attack.
Aave also confirmed that there was no damage.
As Coincu reported, the DeFi protocols Aave and Yearn Finance are under assault from a flash loan attack.
Yearn Finance reposted protocol creator @storming0x’s tweet, in which he indicated that the presently known flaws do not seem to be connected to the Yearn heritage protocol and liquidity pool, which were introduced in 2020. Yearn v2 Insurance Libraries seem to be unaffected, and Yearn contributors are looking into it.
We are aware of an issue that seems isolated to the iearn legacy protocol launched in 2020 and liquidity pool. Yearn v2 vaults seem not to be impacted. Yearn contributors are investigating. Further comms to follow on main account. https://t.co/CKddWwjFj8
— Storm Blessed 0x (@storming0x) April 13, 2023
A bug in a token released by the decentralized finance (DeFi) system Yearn Finance was exploited this morning, according to security company PeckShield, resulting in millions of dollars in damages.
We need to clarify that the root cause is due to misconfigured yUSDT, not related to @AaveAave. https://t.co/XjI9UhbOZf
— PeckShield Inc. (@peckshield) April 13, 2023
Samczsun, a pseudonymous crypto researcher, stated that Yearn Finance’s version of USDT, known as yUSDT, has been broken since it was launched three years ago. He said that it had been misconfigured to utilize the Fulcrum iUSDC token rather than the Fulcrum iUSDT token.
It seems like the iearn USDT token (yUSDT) has been broken since deploy, which was *checks notes* over 1000 days ago. It was misconfigured to use the Fulcrum iUSDC token instead of the Fulcrum iUSDT token.https://t.co/FMtjACkGNz pic.twitter.com/dxW9E0ndF1
— samczsun (@samczsun) April 13, 2023
This was confirmed by PeckShield. According to the report, the fundamental problem seems to be a misconfigured yUSDT. This was used to create 1.2 quadrillion yUSDT from just $10,000. This was then converted into cash by exchanging it for other stablecoins.
It appears the root cause is due to the misconfigured yUSDT, which is exploited to mint huge yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. The huge yUSDT is then cashed out by swapping to other stable coins. https://t.co/Qz3vwtbcot pic.twitter.com/xlsc2Nlmle
— PeckShield Inc. (@peckshield) April 13, 2023
Moreover, Yearn Finance has suffered a loss of around $11.6 million as a result of today’s assault.
#PeckShieldAlert #PeckShieldAlert The exploiter has grabbed ~$11.6M worth of stables, including 61K $USDP, 1.5M $TUSD, ~1.79M $BUSD, ~1.2M $USDT, ~2.58M $USDC and 3M $DAIThey supplied 1.5M $TUSD to #AAVE, and borrowed 634 $ETH from #AAVEhttps://t.co/fSD0UlhCi6And then swapped… pic.twitter.com/HW2lPplxTw
— PeckShieldAlert (@PeckShieldAlert) April 13, 2023
The exploit was initially considered to target Aave V1. Nevertheless, Aave developers said that the protocol was unaffected and that it was only utilized to transfer tokens in order to carry out the hack, which primarily included Yearn Finance’s yUSD stablecoin. Aave said in a tweet that the assault had no effect on Aave V1, V2, or V3.
We are aware of this transaction, and it did not have an impact on Aave V2 and Aave V3. We are now confirming whether there is any impact on Aave V1, the oldest version of the protocol which has been frozen. We're monitoring the situation closely to ensure no further concerns. https://t.co/uM9wtLNJMl
— Aave (@AaveAave) April 13, 2023
The assault on Aave and Yearn follows the SushiSwap exploit, which resulted in the loss of $3.3 million in assets last week.
DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.
Join us to keep track of news: https://linktr.ee/coincu
Harold
Coincu News