bsc.news
De.Fi Security Team: $10K Turned Into $10M
A hacker exploited a vulnerability in an “outdated” iearn stablecoin to drain $10 million in liquidity from Yearn Finance and Aave Protocol. Following the attack, both Yearn and Aave assured users that current versions of their protocols were not impacted by the exploit.
We're looking into an issue with iearn, an outdated contract from before Vaults v1 and v2.
— yearn (@iearnfinance) April 13, 2023
This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols.
iearn is an immutable contract predating YFI, it was deprecated in 2020.
Vaults v1, with…
"We're looking into an issue with iearn, an outdated contract from before Vaults v1 and v2. This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols," Yearn tweeted.
Yearn said the exploited contract was deprecated in 2020.
We can confirm that Aave V1 was not impacted. More details below:https://t.co/8a7tTHuydm
— Aave (@AaveAave) April 13, 2023
AaveAave said the vulnerability to did not impact any version of its protocol.
The Security Department of Web3 Super App and Antivirus De.Fi broke down the attack in a Twitter thread.
🚨 $10M Exploit Involving @AaveAave and @iearnfinance 🚨
— De.Fi 🛡️ Web3 Antivirus (@DeDotFiSecurity) April 13, 2023
⚡️ Vulnerability in the iearn USDT token $yUSDT token has made the $10M worth of drain possible
🔍 Here is the step-by-step flow of the attack 👇 pic.twitter.com/Zoaqo3n1v5
According to De.Fi, the iearn yUSDT token was misconfigured to use Fulcrum $iUSDC instead of Fulcrum $iUSDT. The attacker used the vulnerability to mint 1.2 quadrillion $yUSDT from just $10,000, then cashed out the $yUSDT for other stablecoins.
De.Fi posted screenshots of the attacker’s two wallets, showing about $10 million in assets spread across $ETH, $aTUSD, $DAI and $USDC.
