Home » Business » Hackers mint 1 quadrillion yUSDT in $11.6M Yearn Finance exploit

Hackers mint 1 quadrillion yUSDT in $11.6M Yearn Finance exploit

Business 17 April 2023

A hacker who exploited an outdated Yearn Finance contract minted over a quadrillion yUSDT and swapped it for over $11 million worth of other stablecoins.

The attack was first identified by PeckShield, a blockchain security and data analytics company that discovered the $197 million attack on the DeFi platform Euler Finance just a month ago.

Hi @AaveAave @iearnfinance, you may want to take a look: https://t.co/61wSYHqwvs
— PeckShield Inc. (@peckshield) April 13, 2023

According to PeckShield, the hacker leveraged 10,000 USDT to mint over 1,252,660,242,212,927.5 yUSDT, the Yearn Finance placeholder stablecoins better known as Yearn Tether.

The hacker then swapped the yUSDT for other stablecoins. These included 1.2 million USDT, 2.6 million USDC, 3 million DAI, 1.6 million TrueUSD, and 61,000 PAX dollars. He also swapped the yUSDT for 1.79 million BUSD, the Binance-linked stablecoin under scrutiny by the U.S. securities regulator.

The hacker transferred 1.5 million TrueUSD stablecoins to the DeFi platform Aave and borrowed 634 ETH. He then converted some of the other stablecoins to ETH and moved over 1000 ETH to Tornado Cash for laundering. This is just the latest instance of the U.S. Treasury-sanctioned coin mixer being used to launder funds from hacks and other illegal activities.

Yearn Finance later reassured users that the vulnerability was limited to iearn, an outdated contract deployed by the platform’s infamous founder Andre Cronje.

This outdated version, deployed in 2020, is immutable, and developers can’t make any security updates. It has, however, been replaced by versions V1 in 2021 and the current V2. Both are unaffected, according to Yearn.

Yearn has regularly warned developers against deploying applications on top of outdated code. However, on-chain data shows that the vulnerable iearn was still in use before the exploit.

The vulnerability is nothing new, at least for Cronje’s projects. The developer, who was loved and loathed in equal measure, is known to deploy his projects before they were fully developed and work on vulnerabilities in live mode. The approach was quite risky as the users’ assets were always on the line. Yearn Finance users were victims of this approach in 2021 when a hacker exploited a vulnerability to steal $2.8 million.

Watch: Sentinel Node Blockchain Tools to Improve Cybersecurity

YouTube video

width="562" height="315" frameborder="0" allowfullscreen="allowfullscreen">

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.

Related News

latest news

Artificial Intelligence - Enterprise

Business 4 hours ago

Massachusetts AG releases AI advisory for enterprises amid soaring adoption rates

Massachusetts AG's advisory took swipes at the “false advertising” in AI and warned that AI firms engaged in deceptive marketing could face dire sanctions under the state’s consumer protection rules.

English pounds with coin

Business 10 hours ago

Banking giants take part in UK Finance’s Regulated Liability Network experimentation

UK Finance's RLN experimentation will focus on three primary aspects: reducing fraud in online marketplaces, improving customer transparency, and establishing a digital bond settlement.

Digital asset and judge gavel

Business 12 hours ago

New US stablecoin bill doesn’t mention Tether, but it didn’t have to

The Gillibrand-Lummis bill intends to distinguish Tether and Circle as lawmakers look to allow state non-depository trust companies to issue stablecoins with market caps below $10 billion.