De.Fi Security Team: $10K Turned Into $10M

A hacker exploited a vulnerability in an “outdated” iearn stablecoin to drain $10 million in liquidity from Yearn Finance and Aave Protocol. Following the attack, both Yearn and Aave assured users that current versions of their protocols were not impacted by the exploit.

"We're looking into an issue with iearn, an outdated contract from before Vaults v1 and v2. This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols," Yearn tweeted.

Yearn said the exploited contract was deprecated in 2020.

AaveAave said the vulnerability to did not impact any version of its protocol.

The Security Department of Web3 Super App and Antivirus De.Fi broke down the attack in a Twitter thread.

According to De.Fi, the iearn yUSDT token was misconfigured to use Fulcrum $iUSDC instead of Fulcrum $iUSDT. The attacker used the vulnerability to mint 1.2 quadrillion $yUSDT from just $10,000, then cashed out the $yUSDT for other stablecoins.

De.Fi posted screenshots of the attacker’s two wallets, showing about $10 million in assets spread across $ETH, $aTUSD, $DAI and $USDC.