Yearn Finance exploited for over $10M in stablecoins
The flash loan exploiter has so far stolen millions worth of USDT, TUSD, BUSD, USDC, and DAI.
Decentralized finance (DeFi) protocols Aave and Yearn Finance were targeted in a flash loan attack, Pechshield pointed out in a tweet.
The exploiter has already drained over $10 million in stablecoins from the Yearn Finance protocol; however, Aave noted in a tweet that Aave V1, V2, and V3 were not impacted by the attack.
Stablecoins drained due to the exploit include $3 million DAI, $2.5 million USD Coin (USDC), $1.7 million BinanceUSD (BUSD), $1.19 million Tether (USDT), and $1.5 million worth of True USD (TUSD), according to Lookonchain.
Peckshield said the root cause of the attack on Yearn Finance was a misconfiguration of yUSDT; the liquidity token pegged to your deposited USDT. This allowed the attacker to mint a huge amount of yUSDT using only $10,000 worth of USDT. The exploiter then swapped the yUSDT tokens with other stablecoins.
According to De.Fi Security Experts, $yUSDT was modified to use the Fulcrum iUSDC token as opposed to the original Fulcrum iUSDT token.
De.Fi’s Security Department said the vulnerability of the $yUSDT token was used to mint 1.2 quadrillion yUSDT. The yUSDT were swapped to various stablecoins to withdraw the liquidity on personal wallets and the attacker is stablecoins on the Ethereum blockchain on these wallet addresses:
- 0x6f4A6262d06272c8B2E00Ce75e76d84b9D6F6aB8
- 0x16Af29b7eFbf019ef30aae9023A5140c012374A5
At the time of writing, one of the attacker’s wallets held $5.77 million worth of assets. This includes around $2.4 million worth of Ethereum (ETH), $1.7 million BUSD, and $1.5 million worth of Aave interest-bearing TUSD, according to Etherscan data. The exploiter has been routing the stolen funds through multiple wallets.
The attack comes on the heels of the SushiSwap exploit last week that resulted in the loss of over $3 million worth of assets.
(Article updated to clarify that Aave was not impacted by the attack)