Back to all stories
Blogs
Incident Analysis
Earnings Misconfigured: Yearn.finance Exploit Explained
1/8/2024
Earnings Misconfigured: Yearn.finance Exploit Explained

Project name: Yearn.finance

Project type: Aggregator

Date of exploit: April 13, 2023

Asset loss: Approximately $10M

Vulnerability: Misconfiguration

Date of audit report publishing: March 5, 2020

Conclusion: Out of Scope

Details of the Exploit

Background

Yearn Finance is a DeFi aggregator protocol. The yVault Tokens represent a user's share of the yVault that they are participating in, for example, deposit USDT to mint yUSDT.

Nature of the Vulnerability

The issue arises from an incorrect configuration where the Fulcrum iUSDC token was used in place of the Fulcrum iUSDT token. As a result, the yUSDT token, designed to generate yield based on USDT, was mistakenly based on a different token, iUSDC. This mismatch leads to unforeseen financial outcomes (either losses or gains) for holders of yUSDT, contingent on the fluctuating exchange rates between USDT and USDC. Screenshot 2024-01-08 at 6.13.52 AM

CertiK Audit Overview

Screenshot 2024-01-08 at 6.14.26 AM

Conclusion

On April 13, 2023, yearn.finance was attacked due to a misconfiguration of the yUSDT contract, leading to a loss of approximately $10M.

The vulnerability is due to a misconfiguration of the yUSDT contract that uses the fulcrum iUSDC address, which is different from the yDAIv2.sol’s configuration and should be out of scope.

References