Yearn Finance victim of a flash loan exploit: Blockchain security firm alerts DeFi protocol

• DeFi aggregator Yearn Finance is suspected of falling victim to a flash loan exploit, losses currently exceeding $10 million.
• Blockchain security firm PeckShield Inc identified the exploit and noted that the attacker targeted yUSDT.
• AAVE confirmed that its Version 1 that is frozen since December 2022 is not affected by the attack.

Yearn Finance, a DeFi aggregator protocol, suffered an exploit. PeckShield, a blockchain security firm, identified the exploit and notified the DeFi protocols.

Also read: Ethereum successfully completes first $32 million in ETH withdrawals, keeps selling pressure at bay

Yearn Finance suffers flash loan exploit

DeFi protocol Yearn Finance was targeted by a hacker in a flash loan exploit. A flash loan is a kind of unsecured loan offered by AAVE, it allows users to borrow as much as they want without a collateral.

The user utilizes the borrowed funds and repays the debt to the protocol, in time, else the transaction is revered. Flash loan attacks are executed by attackers that have access to collateral, and access to a liquidity pool through which they manipulate the blockchain.

Details of the exploit

PeckShield, a blockchain security firm, explained that the root cause of the flash loan exploit was a massive mint of yUSDT from a $10,000 USDT collateral. 1,252,660,242,212,927 yUSDT was minted using $10,000 USDT and the yUSDT tokens were then cashed out by swapping to stable coins.

Flash loan exploit

The DeFi aggregator Yearn Finance is yet to comment on the incident. In the meanwhile AAVE confirmed that the attack had no impact on its Version 1, a chain that was frozen in December 2022, limiting the damages to $18 million, the Total Value Locked (TVL) of the chain.

Yearn Finance flash loan exploit

Flash loan attacks on Cream Finance, Alpha Homora, dYdX, PancakeBunny

DeFi protocols like Cream Finance, Alpha Homora, dYdX and PancakeBunny have suffered similar attacks between 2020 and 2022. Attackers attempted to steal Liquidity Provider tokens of Cream finance by a $19 million flash loan attack. The protocol has been routinely targeted by flash loan exploits.

The exploit on dYdX was executed through two lending platforms, Compound and Fulcrum and the attacker borrowed WBTC, swapping it for Uniswap, paying back the dYdX protocol and keeping the ETH as spoils.

PancakeBunny’s Bunny Protocol was the victim of a flash loan attack where approximately $45 million worth of tokens were stolen.

Impact on AAVE and YFI prices

AAVE’s price is steady above $78, close to its 24-hour high, since the protocol confirmed that funds on its Version 1 were safe from the DeFi exploit. Aggregator Yearn Finance’s YFI nosedived nearly 5% from $9,375 to $8,938.

The exploit is a developing story and more details are awaited. YFI price could plummet lower with updates on the exploit.