Apr 2023 - Yearn Finance Legacy Contract Exploited - $11.4m (Global)

"Considered by many as one of DeFi’s most reliable, secure platforms, Yearn made it’s name by offering some of the sector’s simplest farming opportunities."

"Yearn is a decentralized suite of products helping individuals, DAOs, and other protocols earn yield on their digital assets."

"Yearn Finance is DeFi’s premier yield aggregator. Giving individuals, DAOs and other protocols a way to deposit digital assets and receive yield."

"The protocol is maintained by various independent developers and is governed by YFI holders. You can find brief descriptions of Yearn's core products, the governance process, and links to active communication channels below."

"Vaults. Yearn Vaults are capital pools that automatically generate yield based on opportunities present in the market. Vaults benefit users by socializing gas costs, automating the yield generation and rebalancing process, and automatically shifting capital as opportunities arise. End users also do not need to have proficient knowledge of the underlying protocols involved or DeFi, thus the Vaults represent a passive-investing strategy."

"Governance. The Yearn ecosystem is controlled by YFI token holders who submit and vote on off-chain proposals that govern the ecosystem. Proposals that generate majority support (>50% of the vote) are implemented by a 9-member multi-signature wallet. Changes must be signed by 6 out of the 9 wallet signers to be implemented. The members of the multi-signature wallet were voted in by YFI holders and are subject to change from future governance votes. Please refer to the multisig documentation for the list of multisig signers. For more info about the governance process, please consult the Governance FAQ and YIP-61: Governance 2.0."

"@iearnfinance was hacked with two consecutive attack transactions. The root cause is due to an (on-purpose?) misconfiguration which makes the rebalance of the pools rely on an incorrect underlying token. This misconfiguration has been there for more than three years."

"The immutable yUSDT contract that was attacked was deployed over three years ago, back when Yearn was Andre Cronje’s iearn finance.

While the strategy was superceded by newer versions, plenty of funds still remained in the original contract. Later Yearn vault contracts are not affected."

"Despite a last-minute warning on Twitter, immutable contracts can’t be saved."

"Team member storming0x acknowledged the attack before Yearn reassured users that current contracts were unaffected."

"1156 days to spot a multimillion dollar vulnerability in one of DeFi’s longest established protocols."

"The attacker exploited a misconfiguration in the iearn yUSDT token contract.

The token generated yield via an underlying basket of yield-bearing tokens, including USDT positions on Aave, Compound, DYDX and BzX’s Fulcrum.

However, since launch, the yUSDT has contained what appears to be a copy/paste error whereby the Fulcrum USDC address was used instead of the Fulcrum USDT contract.

The exploiter was able to take advantage of the misconfiguration to vastly manipulate the underlying share prices of yUSDT, and mint a large quantity (1.2 quadrillion) of yUSDT using just 10k USDT."

"The attacker was funded via Tornado Cash and redeposited 1000 ETH for laundering. At the time of writing, the first two exploiter addresses contain approximately $1.5M of assets each, and address 3 contains 7.4M DAI."

Further Analysis

Yearn is a decentralized finance (DeFi) protocol that allows individuals, DAOs, and other protocols to earn yield on their digital assets. One of Yearn's core products is its Vaults, which are capital pools that generate yield based on market opportunities. Yearn's governance process is controlled by YFI token holders who submit and vote on off-chain proposals, with proposals that generate majority support being implemented by a 9-member multi-signature wallet. Recently, Yearn's yUSDT token contract was hacked due to a misconfiguration that had been present for over three years. The attacker was able to exploit the misconfiguration to manipulate the underlying share prices of yUSDT and mint a large quantity of yUSDT using just 10k USDT. The attacker was funded via Tornado Cash and deposited 1000 ETH for laundering. The attacker's first two addresses contain approximately $1.5M of assets each, and the third address contains 7.4M DAI.

How Could This Have Been Prevented?

The vulnerabilities were known for multiple years. Better education and awareness is needed to stop using vulnerable smart contracts.

More Cryptocurrency Exchange Hacks/Scams/Frauds

Hundred Finance WBTC Optimism Exploit > > < < Sushi Swap New Routing Contract Bug

Sources/Further Reading

Rekt - Yearn - REKT 2 (Dec 31)
iearn yUSD exploit loss and current status - Google Sheets (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
@MetaSleuth Twitter (Dec 31)
Yearn (Dec 31)
Yearn.finance Docs | Yearn.finance (Dec 31)
https://docs.yearn.finance/getting-started/intro (Dec 31)

t.me/QuadrigaInitiative

/r/QuadrigaInitiative

@QuadrigaInit

info@quadrigainitiative.com

Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.

Quadriga Initiative