Hackers mint 1 quadrillion yUSDT in $11.6M Yearn Finance exploit

Getting your Trinity Audio player ready...

A hacker who exploited an outdated Yearn Finance contract minted over a quadrillion yUSDT and swapped it for over $11 million worth of other stablecoins.

The attack was first identified by PeckShield, a blockchain security and data analytics company that discovered the $197 million attack on the DeFi platform Euler Finance just a month ago.

Hi @AaveAave @iearnfinance, you may want to take a look: https://t.co/61wSYHqwvs

— PeckShield Inc. (@peckshield) April 13, 2023

According to PeckShield, the hacker leveraged 10,000 USDT to mint over 1,252,660,242,212,927.5 yUSDT, the Yearn Finance placeholder stablecoins better known as Yearn Tether.

The hacker then swapped the yUSDT for other stablecoins. These included 1.2 million USDT, 2.6 million USDC, 3 million DAI, 1.6 million TrueUSD, and 61,000 PAX dollars. He also swapped the yUSDT for 1.79 million BUSD, the Binance-linked stablecoin under scrutiny by the U.S. securities regulator.

The hacker transferred 1.5 million TrueUSD stablecoins to the DeFi platform Aave and borrowed 634 ETH. He then converted some of the other stablecoins to ETH and moved over 1000 ETH to Tornado Cash for laundering. This is just the latest instance of the U.S. Treasury-sanctioned coin mixer being used to launder funds from hacks and other illegal activities.

Yearn Finance later reassured users that the vulnerability was limited to iearn, an outdated contract deployed by the platform’s infamous founder Andre Cronje.

This outdated version, deployed in 2020, is immutable, and developers can’t make any security updates. It has, however, been replaced by versions V1 in 2021 and the current V2. Both are unaffected, according to Yearn.

Yearn has regularly warned developers against deploying applications on top of outdated code. However, on-chain data shows that the vulnerable iearn was still in use before the exploit.

The vulnerability is nothing new, at least for Cronje’s projects. The developer, who was loved and loathed in equal measure, is known to deploy his projects before they were fully developed and work on vulnerabilities in live mode. The approach was quite risky as the users’ assets were always on the line. Yearn Finance users were victims of this approach in 2021 when a hacker exploited a vulnerability to steal $2.8 million.

Watch: Sentinel Node Blockchain Tools to Improve Cybersecurity