Yearn Finance Suffers $11.54 Million Loss Due to Smart Contract Vulnerability
Summary
On April 13, 2023, Yearn Finance, a prominent DeFi protocol on the Ethereum blockchain, was exploited due to a misconfiguration in its yUSDT vault’s smart contract. The attacker leveraged this vulnerability to mint an excessive number of yUSDT tokens, which were subsequently exchanged for stablecoins. The exploit led to the loss of approximately $11.54 million.
Attackers
The attackers are unidentified, but their wallet addresses and contracts are known:
Attacker Addresses:
- 0x5bac20beef31d0eccb369a33514831ed8e9cdfe0
- 0x16Af29b7eFbf019ef30aae9023A5140c012374A5
- 0x6f4A6262d06272c8B2E00Ce75e76d84b9D6F6aB8
Malicious Contracts:
Losses
Yearn Finance lost approximately $11.54 million in the exploit. The funds were predominantly in U.S. dollar-pegged stablecoins, including DAI, USDT, USDC, BUSD, and TUSD.
Timeline
- April 13, 2023, 05:52:35 AM +UTC: The attacker exploited the vulnerability in Yearn Finance’s yUSDT vault. First transaction and second transaction.
- April 13, 2023: Yearn Finance team acknowledges the incident and clarifies that the exploit occurred in the legacy Yearn protocol and liquidity pool but did not affect Yearn v2 vaults.
- April 13, 2023: Aave developers clarify that Aave V1, V2, and V3 contracts were not impacted by the exploit.
- April 13, 2023: The attacker transferred 1000 ETH to Tornado Cash from their second wallet.
Security Failure Causes
- Smart contract misconfiguration: The root cause of the vulnerability was a misconfiguration in the yUSDT vault’s smart contract. Specifically, the contract utilized the iUSDC token instead of the iUSDT token, leading to a mistaken dependency on the pool’s underlying token. This error was present at the time of deployment and went unnoticed for approximately 1000 days.