The decentralised financial (DeFi) protocols Aave and Yearn Finance was claimed to be exploited. It was reported that the attacker stole more than $11 million in stablecoins. PeckShield, a security company, tweeted about the exploit early this morning. LookOnChain, a blockchain analytics portal, revealed that the exploiter stole 3,032,142 DAI, 2,579,483 USDC, 1,785,091 BUSD, 1,512,528 TUSD, and 1,193,756 USDT.
Initially, Aave V1 was considered as the root cause of the issue. But later, Samczsun, a pseudonymous crypto researcher, stated that Yearn Finance’s version of USDT, known as yUSDT, has been broken since it was launched three years ago. He said that it had been “misconfigured to use the Fulcrum iUSDC token instead of the Fulcrum iUSDT token.”
Peckshield too, in the beginning, confirmed that the leading cause of the exploit is related to Aave. But later, even they changed their stance. They said the exploit occurred as a result of a misconfigured yUSDT, which is taken advantage of to generate massive yUSDT (1,252,660,242,212,927.5) from a modest $10K USDT. This was then cashed out by swapping to other stablecoins. They updated their statement. “We need to clarify that the root cause is due to misconfigured yUSDT, not related to Aave”.
This was then later corroborated by Aave developers as well. Even the developers said that the protocol was unaffected and was only utilised to transfer tokens to carry out the hack, which primarily included Yearn Finance’s yUSD stablecoin. They said they are aware of an issue that appears to be isolated to the learn legacy protocol, launched in 2020, and the liquidity pool. Yearn Finance contributor Storm Blessed 0x tweeted. “Yearn v2 vaults seem not to be impacted. Yearn contributors are investigating.”
Aave integrations lead, Marc Zeller, later tweeted that Aave V1 has been locked since December 2022. “The current size of V1 is $18M, and the Aave safety module is $382.50M,” Zeller noted. Aave also recognised the exploit, saying that it had no effect on Aave V2 or Aave V3.
Aave and Yearn Finance are both keeping an eye on the issue. Already in 2023, there have been several vulnerabilities, with major DeFi platforms being the primary victims. Recent assaults have targeted major corporations such as Euler, Platypus, and Dexible. SushiSwap recently experienced a $3.3 million breach due to an approval-related flaw in its RouterProcessor2 contract. Since the beginning of the year, more than $20 million has been stolen from the DeFi market, according to DefiLlama.