Youtube Video

Playing the video that you've selected below in an iframe

How Was Yearn Finance Exploited?

4 min read
Exploit Analysis

Learn how a misconfigured vault was used to exploit Yearn Finance, leading to a $11.54 million loss.

TL;DR#

On April 13, 2023, Yearn Finance was exploited in a series of transactions which resulted in a total loss of approximately $11.54 million.

Introduction to Yearn Finance#

Yearn Finance is a yield aggregator that provides individuals, DAOs, and other protocols a way to deposit digital assets and receive yield.

Vulnerability Assessment#

The root cause of the vulnerability is a bug in the misconfigured yUSDT vault, which was effectively exploited to mint a huge amount of yUSDT tokens.

Steps#

Step 1:

We attempted to analyze the attack transaction executed by the exploiter.

Step 2:

According to their contract implementation, the iearn USDT token (yUSDT) has been misconfigured since the time of its deployment, which dates over 1000 days ago, and is using the Fulcrum iUSDC token instead of the Fulcrum iUSDT token.

Step 3:

To put things into perspective, the yUSDT token, which is supposed to be a yield-generating version of USDT, was actually using a different token (iUSDC) as its underlying asset.

constructor () public ERC20Detailed("iearn USDT", "yUSDT", 6) {
    token = address(0xdAC17F958D2ee523a2206206994597C13D831ec7);
    apr = address(0xdD6d648C991f7d47454354f4Ef326b04025a48A8);
    dydx = address(0x1E0447b19BB6EcFdAe1e4AE1694b0C3659614e4e);
    aave = address(0x24a42fD28C976A61Df5D00D0599C34c4f90748c8);
    fulcrum = address(0xF013406A0B1d544238083DF0B93ad0d2cBE0f65f);
    aaveToken = address(0x71fc860F7D3A592A4a98740e39dB31d25db65ae8);
    compound = address(0x39AA39c021dfbaE8faC545936693aC917d5E7563);
    dToken = 0;
    approveToken();
}

Step 4:

The attacker initially took a flash loan of 5 million $DAI, 5 million $USDT, and 2 million $USDT from the Balancer vault and deposited them in the yUSDT contract.

Step 5:

The yUSDT contract is used to mint yUSDT tokens that represent USDT deposits in Yearn Finance. After redeeming yUSDT to USDT, the attacker is able to withdraw all of the assets from Aave V1 vault, after which the uUSDT vault was fully invested in bZxUSDC.

Step 6: 

The attacker is able to trigger a rebalance by withdrawing bZxUSDC into USDC, reducing the value per yUSDT to practically 0. As a result, the hacker was able to mint over 1 quadrillion yUSDT tokens from just 1 wei of USDT deposit, essentially minting an enormous amount of yUSDT for free.

Step 7:

The obtained yUSDT was further swapped to Curve pools for USDT, USDC, and DAI, and the borrowed flash loan was paid back, while the hacker kept the majority of the hacked amounts for profits.

Step 8:

The hacked funds worth approximately $11.54 million includes, 61K $USDP, 1.5 million $TUSD, roughly 1.79 million $BUSD, 1.2 million $USDT, 2.58 million $USDC and 3 million $DAI

Aftermath#

Following the incident, the team associated with Yearn Finance stated that the exploit occurred in the iearn legacy protocol launched in 2020 and liquidity pool, but Yearn v2 vaults were not impacted.

The team also acknowledged the incident with the outdated contract from before vaults v1 and v2, and will be sharing further updates pending a detailed investigation.

Aave also clarified that the incident had no impact on their V1V2, and V3 contracts.

Solution#

It is critical to understand that no security measure is perfect, but implementing rigorous security standards can greatly reduce the risk of all such attacks on DeFi protocols. These standards can aid in identifying and addressing potential attack vectors before they are exploited by attackers. Many formal verification tools can also be used to ensure that the smart contract behaves as it is intended to.

Independent third-party auditors should conduct regular smart contract audits to identify vulnerabilities and recommend mitigation strategies. This can aid in identifying and addressing potential attack vectors before they are exploited by attackers.

We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with Yearn Finance had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.

Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.

Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.

Reference Source BlockSec

By Tags
Exploit Analysis Yearn Finance Aave Smart Contract Vulnerability Decentralized Insurance Parametric Insurance

Related Posts

More Related Posts

Understanding Local Traders Exploit

Learn how the P2P Exchange Local Traders was exploited, resulting in a loss of 379.32 BNB.

Exploit Analysis

How Was CS Token Exploited?

Learn how the CS Token was exploited, resulting in a loss of approximately $715,000.

Exploit Analysis

How Was LunaFi Exploited?

Learn how LunaFi was exploited on the Polygon chain, resulting in a loss of approximately $35,000.

Exploit Analysis