As we forge into 2023, the decentralized finance (DeFi) sector is facing a mounting crisis: a sharp increase in the number of hacks and exploits plaguing the industry. In a stunning turn of events, two prominent names in the DeFi market, Aave and Yearn Finance, have fallen victim to an audacious exploit, with over $10 million worth of stablecoins siphoned off by nefarious actors. The crypto community is reeling from the shockwaves of this high-profile heist, which has cast a shadow over the previously untarnished reputations of these two DeFi giants.
Yearn Finance Rocked By $10 Million Exploit
Decentralized finance (DeFi) protocols Aave V1 and Yearn Finance have fallen prey to a major exploit, with early reports from security firms like PeckShield estimating the loss to be around $10 million. The perpetrators managed to snatch a mix of stablecoins, including DAI, USDC, BUSD, TUSD, and USDT, as revealed by LookOnChain.
As investigations continue, Aave Chan Initiative founder Marc Zeller’s recent tweets hint at the exploit being centered on Aave V1. Zeller stated, “Aave V1 has been frozen since Dec 2022, so no user can deposit or increase borrow size, making the issue unlikely but not impossible.” He further elaborated on the current size of Aave V1, which stands at $18 million, while the project boasts a safety module of $382.5 million that could potentially be utilized to compensate for the lost funds.
In an official statement, Aave has confirmed that its earliest iteration, the now-inactive Aave V1, remains impervious to the recent exploit.
The DeFi community is now awaiting further details and the outcome of ongoing investigations. This latest exploit underscores the persistent security concerns that plague the rapidly growing DeFi sector, highlighting the urgent need for enhanced security measures and better safeguards to protect users’ investments.
Yearn Finance’s yUSDT Has A Potential Flaw
Marc Zeller confirmed that Aave is actively researching the situation to unravel the specifics of the heist. Meanwhile, pseudonymous crypto researcher Samczsun has pointed to a potential flaw in Yearn Finance’s yUSDT token as a contributing factor.
Samczsun revealed that Yearn Finance’s yUSDT had been misconfigured since its deployment around three years ago, using the Fulcrum iUSDC token instead of the intended Fulcrum iUSDT token. This error may have played a role in the recent exploit, leaving the DeFi protocols vulnerable to malicious actors.
Peckshield recently said that the misconfigured yUSDT token lies at the heart of the breach. The error allowed malicious actors to leverage a relatively small $10,000 USDT investment to mint an enormous 1,252,660,242,212,927.5 yUSDT.
This massive amount of yUSDT was then quickly converted to other stablecoins through a series of swaps, resulting in substantial illicit gains for the attackers.
