DeFi protocol Yearn.Finance suffered an exploit. A hacker stole more than $11 million in digital assets from the platform.
On April 13, an unknown hacker exploited a vulnerability in the smart contract of the yUSDT stablecoin on Yearn.Finance. According to a report by PeckShield, the attacker managed to seize ~$11.6 million in digital assets.
PeckShield analysts said the hacker was able to mint over 1.2 quadrillion yUSDT using a 10,000 USDT deposit. The attacker then exchanged the issued coins for stablecoins:
- ~61,000 USDP;
- ~1.5 million TUSD;
- ~1.79 million BUSD;
- ~1.2 million USDT;
- ~2.58 million USDC;
- ~3 million DAI.
The hacker used 1.5 million stolen TUSD to exchange it for 634 ETH via the AAVE DeFi protocol. The attacker exchanged the remaining stablecoins for another ~600 ETH through various crypto exchanges. At the time the hack was discovered, more than 1,000 ETH from the exploiter’s wallet had already been sent to Tornado Cash.
Yearn.Finance reps reported that the “issue” was “a legacy protocol” from 2020 and liquidity pools, assuring users that Yearn v2 vaults weren’t affected. The project team is working with CertiK and other blockchain application security companies to investigate the incident.
The other day, the decentralized exchange SushiSwap was exploited, and the attacker withdrew 1,800 ETH (~$3.3 million). Earlier, hackers performed one of the biggest attacks on the DeFi sector in 2023, breaking into the Euler Finance lending protocol and withdrawing over $196 million in crypto from it.