Blockchain security company PeckShield has reported a multi-million dollar loss caused by an exploit that targeted yUSDT, a stablecoin produced by Yearn Finance, a decentralized finance platform. The attack affected Aave V1 and several stablecoins, including DAI, USDT, USDC, BUSD, and TUSD, all of which are pegged to the US dollar.
Initially, it was believed that the exploit would target Aave V1. However, the hack primarily affected Yearn Finance’s yUSD stablecoin, carried out by swapping tokens. Aave engineers confirmed that their protocol was not impacted by the attack.
Hi @AaveAave @iearnfinance, you may want to take a look: https://t.co/61wSYHqwvs
— PeckShield Inc. (@peckshield) April 13, 2023
An analysis of the situation indicated that the losses on Aave V1 may have exceeded $11 million, with several stablecoins affected, including DAI, USDT, USDC, BUSD, and TUSD, all of which are pegged to the US dollar.
PeckShield tweeted following the initial alert, stating that the root cause of the exploit was due to a poorly configured yUSDT and that it was not linked to Aave.
We need to clarify that the root cause is due to misconfigured yUSDT, not related to @AaveAave. https://t.co/XjI9UhbOZf
— PeckShield Inc. (@peckshield) April 13, 2023
PeckShield stated that the exploiters managed to create over 1.2 quadrillion yUSDT, worth millions of stablecoins, using a $10,000 initial investment. These tokens were then utilized to trick the Yearn Finance protocol and traded for millions of stablecoins. However, the impact on the protocol was minimal since version 1 has been frozen since December 2022.
According to Marc Zeller, founder of Aave integrations, Aave V2 and V3 were unaffected at the time of writing. He also mentioned that the current sizes of Aave V1 and the Aave safety module are $18 million and $382.50 million, respectively.
With further research, we think the impact on Aave V1 is likely null. Also zero impact on V2 & V3. https://t.co/LorX68Urre
— Marc Zeller 👻 💜 🦇🔊 (@lemiscate) April 13, 2023
Zeller further stated that Aave users financially benefited from the Yearn Finance exploiter’s decision to settle all users’ $USDT debt. He compared the situation to a thrilling roller coaster ride.
Based on the ERC-20 holdings of “FUCK YEARN” tokens, it appears that the exploiter was not a big fan of Yearn Finance. He also clarified that the settlement only affected extremely old 2020 Yearn vaults, and current Yearn vaults were not impacted.
Yearn Finance stated on their Twitter account that the V1 vault, which was upgradable, had been deprecated in 2021, but there is no indication that it has been affected. The Yearn V2 vaults, which is the version written in Vyper, are also unaffected. They assured users that the team would continue to conduct further research to better understand the ramifications of the event.
If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter, LinkedIn, Facebook, Instagram, and CoinMarketCap Community.
“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”
