Yearn Finance Suffers $11.54 Million Loss Due to Smart Contract Vulnerability

April 13, 2023

Summary #

On April 13, 2023, Yearn Finance, a prominent DeFi protocol on the Ethereum blockchain, was exploited due to a misconfiguration in its yUSDT vault’s smart contract. The attacker leveraged this vulnerability to mint an excessive number of yUSDT tokens, which were subsequently exchanged for stablecoins. The exploit led to the loss of approximately $11.54 million.

Attackers #

The attackers are unidentified, but their wallet addresses and contracts are known:

Attacker Addresses:

Malicious Contracts:

Losses #

Yearn Finance lost approximately $11.54 million in the exploit. The funds were predominantly in U.S. dollar-pegged stablecoins, including DAI, USDT, USDC, BUSD, and TUSD.

Timeline #

April 13, 2023, 05:52:35 AM +UTC: The attacker exploited the vulnerability in Yearn Finance’s yUSDT vault. First transaction and second transaction.
April 13, 2023: Yearn Finance team acknowledges the incident and clarifies that the exploit occurred in the legacy Yearn protocol and liquidity pool but did not affect Yearn v2 vaults.
April 13, 2023: Aave developers clarify that Aave V1, V2, and V3 contracts were not impacted by the exploit.
April 13, 2023: The attacker transferred 1000 ETH to Tornado Cash from their second wallet.

Security Failure Causes #

Smart contract misconfiguration: The root cause of the vulnerability was a misconfiguration in the yUSDT vault’s smart contract. Specifically, the contract utilized the iUSDC token instead of the iUSDT token, leading to a mistaken dependency on the pool’s underlying token. This error was present at the time of deployment and went unnoticed for approximately 1000 days.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam