$11M Exploit Hits Yearn Finance, Aave Version 1 Impacted
• Nearly $11M was stolen from Yearn Finance due to an exploit that occurred via Aave Version 1.
• The exploit mainly involved Yearn Finance’s yUSD stablecoin and spread across U.S. dollar-pegged stablecoins such as Dai (DAI), Tether (USDT), USD Coin (USDC), Binance USD (BUSD) and Tru USD (TUSD).
• Aave Version 1 has been frozen since December 2022, and the current size of v1 is $18 million with a safety module of $382.50M.
Yearn Finance Exploit Impacted in Nearly $11M Loss
An exploit occurred on DeFi protocol Yearn Finance this morning, leading to millions of dollars in losses, according to security firm PeckShield’s tweet. Data suggests that the loss could total over $11 million, spread across U.S. dollar-pegged stablecoins such as Dai (DAI), Tether (USDT), USD Coin (USDC), Binance USD (BUSD) and Tru USD (TUSD).
Exploit Involved Yearn Finance’s YUSD Stablecoin
The exploit mainly involved Yearn Finance’s yUSD stablecoin, exploiting a bug in a token issued by the protocol. Exploiters were able to mint over 1.2 quadrillion yUSDT in early Asian hours using a $10,000 initial deposit, which was then used to trick the Yearn Finance protocol into cashing out millions in stablecoins.
Aave Version 1 Frozen Since December 2022
Marc Zeller, founder at Aave-Chan initiative and former Aave integration lead said that version 1 of Aave was frozen since December 2022 and the current size of v1 is $18 million with a safety module of $382.50M – suggesting that version 2 & 3 are unaffected at writing time as well as Aave itself being unaffected by the exploit even though it was used for swapping tokens for the exploit..
Misconfigured YUSDT Responsible For Exploit
PeckShield clarified that the root cause is due to misconfigured yUSDT rather than related to Aave itself .
Conclusion
The recent Yearn finance exploit resulted in nearly an estimated loss of 11 million US dollars through US Dollar pegged stable coins such as Dai(DAI), Tether(USDT) etc., Misconfigured YUSDT was responsible for this exploit while version 1 of AAve has been frozen since December 2022 with no impact on other versions or AAve itself