Older Version of DeFi Yield Aggregator Yearn Finance Exploited for $11.6M

An older version of Yearn Finance protocol was hacked for $11.6 million on April 13 due to a vulnerability in Yearn's USDT token, yUSDT.

Initial reports suggested Aave was also exploited, but an Aave spokesperson told Decrypt that it was only used to swap an array of tokens. Aave's founder Stani Kulechov also confirmed that the project was not directly impacted.

Aave is one of DeFi’s oldest lending and borrowing protocols, letting users earn yield for depositing various cryptocurrencies. Yearn Finance is another popular DeFi protocol that aggregates various yield opportunities from around the market into a single platform.

The yUSDT token is a yield-accruing token that tracks a user's USDT stablecoin balance deposited in Yearn contracts.

"It was misconfigured to use the Fulcrum’s iUSDC token instead of the Fulcrum’s iUSDT token," noted Paradigm's researcher, Samczsun. Fulcrum is a DeFi platform that allows users to borrow and lend ETH and other ERC-20 tokens.

The damage was limited since only the older versions of Yearn were exploited, confirmed one of the project's senior developers Storm Blessed 0x.

The attackers have already started withdrawing ETH through the Ethereum mixer Tornado Cash, with 1,000 ETH worth around $1.9 million withdrawn already, per PeckShield.

Attacks such as this have become common in the DeFi sector.

In March, Euler Finance, another lending and borrowing protocol, was exploited for nearly $200 million across a variety of cryptocurrencies. Shortly after, Sushiswap, a decentralized crypto exchange, was hacked for $3.3 million.

The Euler team successfully negotiated the return of the majority of funds and SushiSwap has also rolled out a recovery plan for affected users.

Editor's note: This article was updated on April 13, 2023, at 8:30 am ET to reflect that Aave was not exploited, but was used to swap tokens during the exploit.