News

Older Versions of Aave, Yearn Finance Exploited for $11.6M

Older Versions of Aave, Yearn Finance Exploited for $11.6M

The Aave V1 and an older version of Yearn Finance protocol were hacked for $11.2 million on April 13 due to a vulnerability in Yearn’s USDT token, yUSDT.

Aave is one of DeFi’s oldest lending and borrowing protocols, letting users earn yield for depositing various cryptocurrencies. Yearn Finance is another popular DeFi protocol that aggregates various yield opportunities from around the market into a single platform.

The yUSDT token is a yield-accruing token that tracks a user’s USDT stablecoin balance deposited in Yearn contracts.

“It was misconfigured to use the Fulcrum’s iUSDC token instead of the Fulcrum’s iUSDT token,” noted Paradigm’s researcher, Samczsun. Fulcrum is a DeFi platform that allows users to borrow and lend ETH and other ERC-20 tokens.

The damage was limited since only the older versions of the protocols were attacked. Aave V1 had around $20 million in total deposits on April 12, a day before the hack, per DeFiLlama data.

Storm Blessed 0x, a senior developer at Yearn, and the Aave confirmed that only the legacy versions of the protocols were likely hit, with no harm done to the latest versions. The Aave team also claimed that they froze new deposits into V1 in December 2022.

We are aware of an issue that seems isolated to the iearn legacy protocol launched in 2020 and liquidity pool.

Yearn v2 vaults seem not to be impacted.

Yearn contributors are investigating.

Further comms to follow on main account. https://t.co/CKddWwjFj8

— Storm Blessed 0x 🇯🇵 (@storming0x) April 13, 2023

The attackers have already started withdrawing ETH through the Ethereum mixer Tornado Cash, with 1,000 ETH worth around $1.9 million withdrawn already, per PeckShield.

Marc Zeller, the founder of Aave’s governance platform Aave-Chan, tweeted after the hack that the Safety Module of Aave has around $382.5 million, which far outpaces the total deposits on Aave V1.

The affected users will likely be paid from the Safety Module or Yearn’s insurance funds, based on what the two community leads agree upon.

Attacks such as this have become common in the DeFi sector.

In March, Euler Finance, another lending and borrowing protocol, was exploited for nearly $200 million across a variety of cryptocurrencies. Shortly after, Sushiswap, a decentralized crypto exchange, was hacked for $3.3 million.

The Euler team successfully negotiated the return of the majority of funds and SushiSwap has also rolled out a recovery plan for affected users.

Stay on top of crypto news, get daily updates in your inbox.





Source: https://decrypt.co/126194/older-versions-of-aave-yearn-finance-exploited-11-6m

Leave a Reply

Your email address will not be published. Required fields are marked *