Yearn Finance Suffers $11.54 Million Loss Due to Smart Contract Vulnerability

Summary

On April 13, 2023, Yearn Finance, a prominent DeFi protocol on the Ethereum blockchain, was exploited due to a misconfiguration in its yUSDT vault’s smart contract. The attacker leveraged this vulnerability to mint an excessive number of yUSDT tokens, which were subsequently exchanged for stablecoins. The exploit led to the loss of approximately $11.54 million.

Attackers

The attackers are unidentified, but their wallet addresses and contracts are known:

Attacker Addresses:

Malicious Contracts:

Losses

Yearn Finance lost approximately $11.54 million in the exploit. The funds were predominantly in U.S. dollar-pegged stablecoins, including DAI, USDT, USDC, BUSD, and TUSD.

Timeline

  • April 13, 2023, 05:52:35 AM +UTC: The attacker exploited the vulnerability in Yearn Finance’s yUSDT vault. First transaction and second transaction.
  • April 13, 2023: Yearn Finance team acknowledges the incident and clarifies that the exploit occurred in the legacy Yearn protocol and liquidity pool but did not affect Yearn v2 vaults.
  • April 13, 2023: Aave developers clarify that Aave V1, V2, and V3 contracts were not impacted by the exploit.
  • April 13, 2023: The attacker transferred 1000 ETH to Tornado Cash from their second wallet.

Security Failure Causes

  • Smart contract misconfiguration: The root cause of the vulnerability was a misconfiguration in the yUSDT vault’s smart contract. Specifically, the contract utilized the iUSDC token instead of the iUSDT token, leading to a mistaken dependency on the pool’s underlying token. This error was present at the time of deployment and went unnoticed for approximately 1000 days.