Posted on April 13, 2023 at 9:46 AM
Yearn.finance was the latest victim of a hack in the decentralized finance (DeFi) sector. The hack enabled the threat actor to mint more than 1 quadrillion Yearn Tether (yUSDT) from $10,000 USDT. The hack was reported by blockchain security firm, PeckShield.
Hacker exploits Yearn.finance contract to mint yUSDT
PeckShield issued an alert on this exploit on Twitter. The blockchain security firm said that after the hacker minted Yearn Tether, they swapped it for other stablecoins, enabling them to have $11.6 million worth of multiple stablecoins.
The attacker converted the stolen yUSDT to 61,000 Pax Dollar, 1.5 million TrueUSD, 1.79 million Binance USD, 1.2 million USDT, 2.58 million USD Coin, and 3 million Dai tokens. These stablecoins are all pegged to the value of one US dollar.
The PeckShield report also noted that the hacker had already started laundering the stolen funds. It said that the hacker transferred 1000 ETH, equivalent to over $2M at the current prices, to Tornado Cash. Tornado Cash is a crypto mixer tool sanctioned by the US government last year.
PeckShield has also flagged DeFi platform Aave and Yearn.finance to inform them of what had transpired. The DeFi lending protocol Yearn.finance conducted initial investigations into this incident. The protocol issued a statement saying the breach did not have a broad impact.
Yearn.finance said that the exploit was limited to the iearn service. The iearn contract is outdated and existed before vaults v1 and v2. The protocol clarified that the Yearn.finance contracts and other protocols were not affected by this exploit.
The statement issued by Yearn.finance said, “We’re looking into an issue with iearn, an outdated contract from before Vaults v1 and v2. This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols. iearn is an immutable contract predating YFI, it was deprecated in 2020.”
The company further said that Vaults v1, which used upgradeable strategies, was also outdated in 2021, but there were no signs that it had been affected. The protocol relies on the current version, Yearn v2 Vaults.
The Aave lending protocol also issued a statement saying that the issue did not affect Aave v2 and v3. The company said it was investigating whether the oldest version of the protocol, Aave v1, was affected. It later clarified that Aave v1 was also not affected. The protocol said that it appeared as if the iearn USDT (yUSDT) token had issues since it was deployed.
Hacks in the crypto industry
The crypto and DeFi industries are increasingly susceptible to hacking attacks. It appears that firms offering crypto and DeFi services will have to aggressively put hackers at bay in Q2, given that exploits have increased alarmingly.
Besides Yearn.finance, the other crypto protocol that was the recent victim of an attack is the Bitrue exchange. Attackers drained $23 million worth of cryptocurrency from a crypto wallet belonging to the exchange. Bitrue confirmed this exploit in a tweet on Friday.
The exchange did not offer any details on how this attack took place. However, it said the exploit happened in one of the company’s hot wallets on April 14. The exchange further said that it was swift in addressing the matter, preventing the attackers from stealing more funds.
According to Bitrue, these hackers withdrew crypto assets valued at around 23 million. The stolen assets include Ether, GALA, SHIB, HOT, QNT, and MATIC. The exchange also noted that the wallet that was exploited in this attack owned less than 5% of the overall reserves of the company, adding that the remaining wallet was not affected and the funds contained within were safe.
The Bitrue exchange has suspended all withdrawals temporarily because of this attack. The exchange has scheduled withdrawals to resume on April 18. It also said that any users affected by this breach would receive their compensation in full. Bitrue is one of the largest exchanges, with more than $1 billion daily trades.
Despite hacks being rampant across the crypto and DeFi industries in recent years, the amount stolen in these attacks has remained notably lower. A quarterly report by CertiK said that over $320M was lost to exploits in Q1 2023. The stolen amount was lower than reported in Q1 2022, where $1.3 billion was stolen, and in Q4 2022, where $950M was lost to hackers.