A bug in Yearn Finance’s decentralized finance (DeFi) protocol token caused an exploit resulting in millions of dollars in losses, according to security firm PeckShield. The exploit was conducted on Aave version 1, and stablecoins dai (DAI), tether (USDT), USD Coin (USDC), binance USD (BUSD), and tru USD (TUSD) were affected. The total losses could amount to over $11 million, based on data analysis.
PeckShield confirmed that the exploiters were able to mint over 1.2 quadrillion yUSDT using a $10,000 initial deposit in the early Asian hours. The tokens were then used to deceive the Yearn Finance protocol and eventually cash out millions in stablecoins.
Aave V1 was previously believed to have been impacted by the exploit, but Aave developers stated that the protocol was unaffected and only used to swap tokens to carry out the exploit, which primarily involved Yearn Finance’s yUSD stablecoin.
Clarification and Impact to Aave
Following the initial flag, PeckShield clarified that misconfigured yUSDT was the root cause of the issue, and it was not related to Aave. Marc Zeller, an Aave integrations lead, stated that the impact on the protocol was minimal because version 1 was frozen since December 2022. Zeller further explained that version 2 and version 3 of Aave were not impacted at the time of writing. The current size of V1 is $18M, and the current size of the Aave safety module is $382.50M.
This situation is still developing, and updates will be made as more information becomes available. It serves as a reminder that even decentralized finance protocols can fall prey to exploits and vulnerabilities, emphasizing the importance of security measures to protect users’ funds.