Yearn Finance Hack - April 2023 ($11.54M)
Overview
On April 13, 2023, Yearn Finance on the Ethereum chain was attacked due to a misconfiguration in the yUSDT vault, and the attackers exploited this vulnerability and stole approximately $11.54 million.
Root Cause
The vulnerability was caused by a bug in the misconfigured yUSDT vault. Specifically, the contract's fulcrum used the iUSDC token instead of the iUSDT token, leading to a mistaken dependency on the pool's underlying token. The misconfiguration was present at the time of deployment and went unnoticed for approximately 1000 days.
Attack Details
The attacker began by borrowing a large amount of DAI, USDC, and USDT through flash loans, then exchanged DAI and USDC for USDT using Curve's ySwap to deplete aUSDT reserves in the yUSDT contract. PeckShield said exploiters were able to mint over 1.2 quadrillion yUSDT in early Asian hours using a $10,000 initial deposit, which was then used to trick the Yearn Finance protocol to eventually cash out millions in stablecoins.
Impact Scope
The Yearn Finance team clarified that the exploit occurred in the legacy iearn protocol and liquidity pool launched in 2020. However, Yearn v2 vaults were not affected by the exploit.
Sources