Exploit involving early version of Yearn Finance saw damages of $11.6 million: PeckShield

Quick Take

  • PeckShield said the size of the hack was $11.6 million.
  • It appears to involve a misconfigured token created by an early version of Yearn Finance.

An exploit involving an early version of the DeFi protocol Yearn Finance, called iearn, took place earlier today, causing damages of $11.6 million, according to PeckShield.

The exploiter received a mix of stablecoins, including DAI, USDC, BUSD, TUSD and USDT, according to LookOnChain.

Broken for three years

Pseudonymous crypto researcher Samczsun claimed that Yearn Finance's version of USDT, called yUSDT, has been broken since it was deployed around three years ago. He said it was "misconfigured to use the Fulcrum iUSDC token instead of the Fulcrum iUSDT token."

PeckShield corroborated this idea. It said that the root cause appears to be the misconfigured yUSDT. This was exploited to mint 1.2 quadrillion yUSDT from just $10,000. This was then cashed out by swapping to other stablecoins.

"We are aware of an issue that seems isolated to the iearn legacy protocol launched in 2020 and liquidity pool," said Yearn Finance contributor Storm Blessed 0x on Twitter. "Yearn v2 vaults seem not to be impacted. Yearn contributors are investigating."


Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy