Analysis of the Curio Exploit
Learn how Curio was exploited, which resulted in a loss of approximately $16 million.
Youtube Video
Playing the video that you've selected below in an iframe
Learn how a misconfigured vault was used to exploit Yearn Finance, leading to a $11.54 million loss.
On April 13, 2023, Yearn Finance was exploited in a series of transactions which resulted in a total loss of approximately $11.54 million.
Yearn Finance is a yield aggregator that provides individuals, DAOs, and other protocols a way to deposit digital assets and receive yield.
The root cause of the vulnerability is a bug in the misconfigured yUSDT vault, which was effectively exploited to mint a huge amount of yUSDT tokens.
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
According to their contract implementation, the iearn USDT token (yUSDT) has been misconfigured since the time of its deployment, which dates over 1000 days ago, and is using the Fulcrum iUSDC token instead of the Fulcrum iUSDT token.
Step 3:
To put things into perspective, the yUSDT token, which is supposed to be a yield-generating version of USDT, was actually using a different token (iUSDC) as its underlying asset.
constructor() public ERC20Detailed("iearn USDT", "yUSDT", 6) {
token = address(0xdAC17F958D2ee523a2206206994597C13D831ec7);
apr = address(0xdD6d648C991f7d47454354f4Ef326b04025a48A8);
dydx = address(0x1E0447b19BB6EcFdAe1e4AE1694b0C3659614e4e);
aave = address(0x24a42fD28C976A61Df5D00D0599C34c4f90748c8);
fulcrum = address(0xF013406A0B1d544238083DF0B93ad0d2cBE0f65f);
aaveToken = address(0x71fc860F7D3A592A4a98740e39dB31d25db65ae8);
compound = address(0x39AA39c021dfbaE8faC545936693aC917d5E7563);
dToken = 0;
approveToken();
}
Step 4:
The attacker initially took a flash loan of 5 million $DAI, 5 million $USDT, and 2 million $USDT from the Balancer vault and deposited them in the yUSDT contract.
Step 5:
The yUSDT contract is used to mint yUSDT tokens that represent USDT deposits in Yearn Finance. After redeeming yUSDT to USDT, the attacker is able to withdraw all of the assets from Aave V1 vault, after which the uUSDT vault was fully invested in bZxUSDC.
Step 6:
The attacker is able to trigger a rebalance by withdrawing bZxUSDC into USDC, reducing the value per yUSDT to practically 0. As a result, the hacker was able to mint over 1 quadrillion yUSDT tokens from just 1 wei of USDT deposit, essentially minting an enormous amount of yUSDT for free.
Step 7:
The obtained yUSDT was further swapped to Curve pools for USDT, USDC, and DAI, and the borrowed flash loan was paid back, while the hacker kept the majority of the hacked amounts for profits.
Step 8:
The hacked funds worth approximately $11.54 million includes, 61K $USDP, 1.5 million $TUSD, roughly 1.79 million $BUSD, 1.2 million $USDT, 2.58 million $USDC and 3 million $DAI
Following the incident, the team associated with Yearn Finance stated that the exploit occurred in the iearn legacy protocol launched in 2020 and liquidity pool, but Yearn v2 vaults were not impacted.
The team also acknowledged the incident with the outdated contract from before vaults v1 and v2, and will be sharing further updates pending a detailed investigation.
Aave also clarified that the incident had no impact on their V1, V2, and V3 contracts.
The hacker was able to exploit a long-standing misconfiguration in the yUSDT vault to initiate a complex chain of transactions that led to the theft of approximately $11.54 million. This vulnerability could have been detected with rigorous security protocols in place, such as regular auditing, code reviews, and stress testing. Moreover, formal verification tools could have been used to ensure that the smart contracts were behaving as expected.
However, even the most comprehensive security measures are not completely foolproof. Hence, in addition to robust security standards, risk mitigation strategies are of the utmost importance. One such strategy is to establish a dedicated cover pool in the Neptune Mutual marketplace. If Yearn Finance had done so, the financial aftermath of this hack could have been greatly mitigated.
Neptune Mutual's parametric cover policies provide coverage for losses due to smart contract vulnerabilities. Affected users would have been able to receive payouts without the need for individual loss verification, providing immediate financial relief. Claiming the payouts is a straightforward process, enacted as soon as the incident is resolved through Neptune Mutual's incident resolution system. This approach reduces not only the financial impact of such hacks but also the administrative burden on the victims. At the moment, our marketplace is available on two popular blockchain networks: Ethereum and Arbitrum.
Additionally, Neptune Mutual goes beyond simply providing coverage. Our dedicated security team offers evaluations of various facets of platform security, such as DNS and web-based security, frontend and backend security, and intrusion detection and prevention. This comprehensive approach could have helped identify the misconfiguration or any other security gaps that may exist in Yearn Finance's system.
Reference Source BlockSec