<p>An exploit involving an early version of the DeFi protocol Yearn Finance, called iearn, took place earlier today, causing damages of $11.6 million, according to PeckShield.</p> <p>The exploiter received a mix of stablecoins, including DAI, USDC, BUSD, TUSD and USDT, <a href="https://twitter.com/lookonchain/status/1646404007051800576">according</a> to LookOnChain.</p> <h2>Broken for three years</h2> <p>Pseudonymous crypto researcher Samczsun claimed that Yearn Finance's version of USDT, called yUSDT, has been broken since it was deployed around three years ago. He said it was "misconfigured to use <span class="css-901oao css-16my406 r-poiln3 r-bcqeeo r-qvutc0">the Fulcrum iUSDC token instead of the Fulcrum iUSDT token."</span></p> <p><span class="css-901oao css-16my406 r-poiln3 r-bcqeeo r-qvutc0">PeckShield <span class="kqEaA z8gr9e">corroborated</span> this idea. It <a href="https://twitter.com/peckshield/status/1646411259125063686">said</a> that the root cause appears to be the misconfigured yUSDT. This was exploited to mint 1.2 quadrillion yUSDT from just $10,000. This was then cashed out by swapping to other stablecoins.</span></p> <p>"<span class="css-901oao css-16my406 r-poiln3 r-bcqeeo r-qvutc0">We are aware of an issue that seems isolated to the iearn legacy protocol launched in 2020 and liquidity pool," <a href="https://twitter.com/storming0x/status/1646408774477922305">said</a> Yearn Finance contributor Storm Blessed 0x on Twitter. "Yearn v2 vaults seem not to be impacted. Yearn contributors are investigating."</span></p> <h2>Aave V1 used but wasn't exploited</h2> <p>The attack used the Aave V1 protocol in making a large array of swaps but the Aave team said that it wasn't exploited.</p> <p>"<span class="css-901oao css-16my406 r-poiln3 r-bcqeeo r-qvutc0">We can confirm that Aave V1 was not impacted,"</span><span class="css-901oao css-16my406 r-poiln3 r-bcqeeo r-qvutc0"> <a href="https://twitter.com/StaniKulechov/status/1646412538509426688">said</a> Aave CEO Stani Kulechov on Twitter.</span></p> <p>"We need to clarify that the root cause is due to misconfigured yUSDT, not related to Aave," <a href="https://twitter.com/peckshield/status/1646412503583432704">added</a> PeckShield.</p> <p><em>This story has been updated to show how the exploit took place, which protocols it affected and with PeckShield's latest estimate on the size of the hack.<br /> </em></p><br /><span class="copyright"><p>© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.</p> </span>