Mediaboss Marketing

DeFi protocols Yearn Finance and Aave suffered exploitation to the time of more than $11.6 million owing to a misconfigured yUSDT, blockchain security expert Peckshield revealed.

Initially, the attack was thought to be limited to Aave V1, but later on-chain sleuths found that the latter was instead exploited to mint huge yUSDT from a small $10K USDT.

The huge yUSDT was then cashed out by swapping to other stablecoins. The flash loan exploiter has so far stolen millions worth of USDT, TUSD, BUSD, USDC, and DAI.

Meanwhile, Yearn issued a public statement as its team continues its investigation.

Were looking into an issue with iearn, an outdated contract from before Vaults v1 and v2. This problem seems exclusive to iEarn and does not impact current Yearn contracts or protocols. iearn is an immutable contract predating YFI, it was deprecated in 2020. Vaults v1, with upgradeable strategies, was also deprecated in 2021. Theres no indication its affected. The current version, Yearn v2 Vaults [written in Vyper], remains unaffected as well.

As further information came to light, different security analysts pointed out that the issue is still specific to the liquidity pool and the 2020-launched iEarn legacy protocol. Vaults for Yearn v2 dont appear to be affected.

It seems like the iEarn USDT token [yUSDT] has been broken since deployment, which was *checks notes* over 1000 days ago. It was misconfigured to use the Fulcrum iUSDC token instead of the Fulcrum iUSDT token, white-hat hacker samczsun stated.

For those new, prominent Web3 developer Andre Cronje pioneered two DeFi projects yEarn Finance and iEarn. Cronje renamed iEarn to Yearn Finance [YFI] in July 2020 after it showed success in yield aggregation.

Meanwhile, a similar incident of smart contract exploitation took place a few days back.

Popular decentralized protocol Sushi DEX reported a loss of over $3 million due to a bug on the RouterProcessor2 contract that is used to route trades on the SushiSwap exchange.

The issue seems to only impact customers who approved SushiSwap contracts in the previous four days, according to @0xngmi, a pseudonymous DefiLlama developer.

After the incident, SushiSwap chief developer Jared Grey requested users to remove access to any contracts on the platform as a security precaution.

Grey also assured that the team was working with security teams to mitigate the issue.

Read more from the original source:

DeFi: Yearn Finance Lost $11M After Attackers Exploited An Outdated Contract - TronWeekly