Back to all stories
Incident Analysis
Earnings Misconfigured: Exploit Explained
Earnings Misconfigured: Exploit Explained

Project name:

Project type: Aggregator

Date of exploit: April 13, 2023

Asset loss: Approximately $10M

Vulnerability: Misconfiguration

Date of audit report publishing: March 5, 2020

Conclusion: Out of Scope

Details of the Exploit


Yearn Finance is a DeFi aggregator protocol. The yVault Tokens represent a user's share of the yVault that they are participating in, for example, deposit USDT to mint yUSDT.

Nature of the Vulnerability

The issue arises from an incorrect configuration where the Fulcrum iUSDC token was used in place of the Fulcrum iUSDT token. As a result, the yUSDT token, designed to generate yield based on USDT, was mistakenly based on a different token, iUSDC. This mismatch leads to unforeseen financial outcomes (either losses or gains) for holders of yUSDT, contingent on the fluctuating exchange rates between USDT and USDC. Screenshot 2024-01-08 at 6.13.52 AM

CertiK Audit Overview

Screenshot 2024-01-08 at 6.14.26 AM


On April 13, 2023, was attacked due to a misconfiguration of the yUSDT contract, leading to a loss of approximately $10M.

The vulnerability is due to a misconfiguration of the yUSDT contract that uses the fulcrum iUSDC address, which is different from the yDAIv2.sol’s configuration and should be out of scope.