CertiK Logo
CertiK Logo
Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Blogs
Incident Analysis
Earnings Misconfigured: Yearn.finance Exploit Explained
1/8/2024
Earnings Misconfigured: Yearn.finance Exploit Explained

Project name: Yearn.finance

Project type: Aggregator

Date of exploit: April 13, 2023

Asset loss: Approximately $10M

Vulnerability: Misconfiguration

Date of audit report publishing: March 5, 2020

Conclusion: Out of Scope

Details of the Exploit

Background

Yearn Finance is a DeFi aggregator protocol. The yVault Tokens represent a user's share of the yVault that they are participating in, for example, deposit USDT to mint yUSDT.

Nature of the Vulnerability

The issue arises from an incorrect configuration where the Fulcrum iUSDC token was used in place of the Fulcrum iUSDT token. As a result, the yUSDT token, designed to generate yield based on USDT, was mistakenly based on a different token, iUSDC. This mismatch leads to unforeseen financial outcomes (either losses or gains) for holders of yUSDT, contingent on the fluctuating exchange rates between USDT and USDC. Screenshot 2024-01-08 at 6.13.52 AM

CertiK Audit Overview

Screenshot 2024-01-08 at 6.14.26 AM

Conclusion

On April 13, 2023, yearn.finance was attacked due to a misconfiguration of the yUSDT contract, leading to a loss of approximately $10M.

The vulnerability is due to a misconfiguration of the yUSDT contract that uses the fulcrum iUSDC address, which is different from the yDAIv2.sol’s configuration and should be out of scope.

References

Related Stories
Prisma Finance Incident Analysis
Blogs
Incident Analysis
On 28 March, Prisma Finance was exploited by multiple addresses leading to a loss of approximately $12.3 million. Three attackers took advantage of a vulnerability in the Prisma Finance MigrateTroveZap contract which allowed them to manipulate a migration process. Since the exploit occurred, a wallet that received funds from the main exploiter has reached out to the Prisma Finance deployer declaring that their actions were a white hat rescue.
3/29/2024
CertiK's Journey to Samsung's Security Hall of Fame
Blogs
Announcements
Our Skyfall team’recently earned a major honor, securing a top five place in Samsung's Mobile Security Hall of Fame for 2023. This accolade is not just a recognition of their skill and dedication, but also an affirmation of our ongoing commitment to cutting-edge cybersecurity research.
1/23/2024
Post Mortem: Thoreum Finance
Blogs
Incident Analysis
On Jan 18, 2023, Thoreum Finance's token contract v4 was exploited, leading to a loss of around 2,260 WBNB. The attacker took advantage of the flawed implementation in the token contract's transfer function and manipulated its balance.
1/8/2024
CertiK Logo
SOC
© 2024 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSecurity ScoreKYCPenetration TestingBug BountyFormal VerificationAdvisory ServicesSkyHarborSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKSecurity LeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2024 by CertiK. All Rights Reserved.
;