blockchainreporter.net
As we forge into 2023, the decentralized finance (DeFi) sector is facing a mounting crisis: a sharp increase in the number of hacks and exploits plaguing the industry. In a stunning turn of events, two prominent names in the DeFi market, Aave and Yearn Finance, have fallen victim to an audacious exploit, with over $10 million worth of stablecoins siphoned off by nefarious actors. The crypto community is reeling from the shockwaves of this high-profile heist, which has cast a shadow over the previously untarnished reputations of these two DeFi giants.
Aave V1 And Yearn Finance Rocked By $10 Million Exploit
Decentralized finance (DeFi) protocols Aave V1 and Yearn Finance have fallen prey to a major exploit, with early reports from security firms like PeckShield estimating the loss to be around $10 million. The perpetrators managed to snatch a mix of stablecoins, including DAI, USDC, BUSD, TUSD, and USDT, as revealed by LookOnChain.
An exploiter attacked @iearnfinance and @AaveAave.
— Lookonchain (@lookonchain) April 13, 2023
The exploiter got over $10M in stablecoins.
Including:
– 3,032,142 $DAI
– 2,579,483 $USDC
– 1,785,091 $BUSD
– 1,512,528 $TUSD
– 1,193,756 $USDThttps://t.co/nT0PhL1cDC pic.twitter.com/ukOQagk1n5
As investigations continue, Aave Chan Initiative founder Marc Zeller’s recent tweets hint at the exploit being centered on Aave V1. Zeller stated, “Aave V1 has been frozen since Dec 2022, so no user can deposit or increase borrow size, making the issue unlikely but not impossible.” He further elaborated on the current size of Aave V1, which stands at $18 million, while the project boasts a safety module of $382.5 million that could potentially be utilized to compensate for the lost funds.
The DeFi community is now awaiting further details and the outcome of ongoing investigations. This latest exploit underscores the persistent security concerns that plague the rapidly growing DeFi sector, highlighting the urgent need for enhanced security measures and better safeguards to protect users’ investments.
Yearn Finance’s yUSDT Has A Potential Flaw
Marc Zeller confirmed that Aave is actively researching the situation to unravel the specifics of the heist. Meanwhile, pseudonymous crypto researcher Samczsun has pointed to a potential flaw in Yearn Finance’s yUSDT token as a contributing factor.
Samczsun revealed that Yearn Finance’s yUSDT had been misconfigured since its deployment around three years ago, using the Fulcrum iUSDC token instead of the intended Fulcrum iUSDT token. This error may have played a role in the recent exploit, leaving the DeFi protocols vulnerable to malicious actors.
It appears the root cause is due to the misconfigured yUSDT, which is exploited to mint huge yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. The huge yUSDT is then cashed out by swapping to other stable coins. https://t.co/Qz3vwtbcot pic.twitter.com/xlsc2Nlmle
— PeckShield Inc. (@peckshield) April 13, 2023
Peckshield recently said that the misconfigured yUSDT token lies at the heart of the breach. The error allowed malicious actors to leverage a relatively small $10,000 USDT investment to mint an enormous 1,252,660,242,212,927.5 yUSDT.
This massive amount of yUSDT was then quickly converted to other stablecoins through a series of swaps, resulting in substantial illicit gains for the attackers.