PeckShield, a company that specializes in analyzing blockchain security and data, uncovered an incident where a hacker took advantage of an old Yearn Finance contract to mint over a quadrillion yUSDT. The hacker then swapped the yUSDT for other stablecoins worth more than $11 million. This attack took place just a month after PeckShield identified a $197 million attack on Euler Finance, another DeFi platform.
As per PeckShield, the hacker utilized 10,000 USDT to generate a huge amount of 1,252,660,242,212,927.5 yUSDT, also known as Yearn Tether, the stablecoins of Yearn Finance. The hacker then traded these yUSDT for various other stablecoins which included 1.2 million USDT, 2.6 million USDC, 3 million DAI, 1.6 million TrueUSD, and 61,000 PAX dollars. Furthermore, the hacker also traded yUSDT for 1.79 million BUSD, the Binance-connected stablecoin that is being investigated by the U.S. securities regulator.
The DeFi platform Aave received 1.5 million TrueUSD stablecoins from a hacker who then borrowed 634 ETH. To hide their tracks, the hacker converted some of the stablecoins into ETH and transferred over 1000 ETH to Tornado Cash for laundering. This is not the first time the U.S. Treasury-sanctioned coin mixer has been used to launder funds obtained from illegal activities such as hacks. Yearn Finance has confirmed that the vulnerability was only present in an outdated contract called iearn, which was deployed by the platform’s founder Andre Cronje in 2020. This version is immutable, meaning that developers cannot make any security updates. However, it has been replaced by V1 in 2021 and the current V2, both of which are unaffected, as per Yearn.
Developers have been cautioned by Yearn against using outdated code for their applications. However, according to on-chain data, the vulnerable iearn was still being utilized prior to the exploit. This vulnerability is not new to Cronje’s projects. The developer, who is known for both admiration and criticism, has a reputation for deploying his projects before they are fully developed and working on vulnerabilities while in live mode. This approach was quite risky as user assets were always at risk. Unfortunately, Yearn Finance users fell victim to this approach in 2021 when a hacker exploited a vulnerability and stole $2.8 million.
