Key Highlights
- The hack targeted iEarn TUSD, a deprecated protocol deployed in 2020 that predates Yearn’s modern Vault system.
- Yearn Finance confirmed that its V2 and V3 Vaults, currently holding over $410 million, remain entirely unaffected.
- The attacker utilized flash loans from Aave V1/V2 and dYdX to manipulate the TUSD pool before cashing out 103 ETH.
A complex hack of the decentralized finance (DeFi) protocol Yearn Finance V1 has resulted in a $300,000 loss, once again exposing the persistent risks lurking in “dead” DeFi contracts. Security firm PeckShieldAlert first identified the anomaly, tracking the attacker as they swapped various stablecoins into 103 ETH, which are currently residing in one wallet.
According to data provided by PeckShield Alert, the attack took off with a withdrawal of $203,491 worth of TUSD from Aave Protocol V1, along with a loan of $4,068 worth of USDC from dYdX. The attacker further took a flash loan of almost $245,906 worth of TUSD from Aave Protocol V2.
The stolen funds moved quickly across Curve and Yearn Finance, swapping four different tokens and shifting millions in stablecoins. Big amounts included $30 million from Morpho, $10 million from Yearn, and $11 million through Curve’s DAI/USDC pool.
Smaller sums of $7.7 million and $46.5 million also traded across various wallets. The attacker paid very little in fees—just $611 in Ethereum and 0.01 ETH ($29.60).
Legacy iEarn contracts trigger vulnerability
Yearn Finance confirmed that the exploit targeted iEarn’s immutable TUSD contract, deployed over 2,100 days ago, unrelated to current Yearn vaults. The team emphasized that modern Yearn v2 Vaults remain unaffected.
Yearn explained, “This problem is exclusive to iEarn and does not impact current Yearn contracts or vaults.” Similar issues in 2023 with the iEarn USDT contract had led to multiple Curve pools being exploited, impacting liquidity providers downstream. Historically, Yearn’s legacy v1 Vaults wrapped affected LP tokens, which meant some users indirectly felt the consequences.
In late November, the yETH stableswap pool also suffered an $8 million loss due to a subtle arithmetic flaw in its custom Curve-based contract. The yETH–WETH pool lost another $900,000. Yearn’s proactive recovery in December retrieved $2.4 million of the yETH exploit, demonstrating coordinated efforts with partners Plume and Dinero.
DeFi attack patterns and unexpected outcomes
The hacker relied on connected contracts, a small amount of starting ETH, and well-timed flash loans to carry out the attack. In a similar case, the Raft protocol lost $3.3 million in ETH due to flaws in its R stablecoin. Interestingly, the hacker sent only 18 ETH through Tornado Cash and ended up destroying 1,570 ETH, leaving just 14 ETH behind.
Igor Igamberdiev, Head of Research at Wintermute, explained, “Coins went to the null address, which has no private key.” Hence, the attacker inadvertently lost a portion of the stolen ETH.
These attacks have highlighted vulnerabilities inherent in existing DeFi smart contracts, specifically pre-existent DeFi smart contracts that fail to conform to current governance and security best practices. Furthermore, attackers are executing complex cross-protocol transactions using platforms and flash loans.
The recent hack of Yearn Finance V1 illustrates the need for scrutiny of old DeFi contract codes. Luckily, the Current Vaults are safe, but people must exercise caution when dealing with old codes.
Also Read: Michael Saylor Says Quantum Will Not Break But ‘Harden’ Bitcoin