Project name: Yearn.finance
Project type: Aggregator
Date of exploit: April 13, 2023
Asset loss: Approximately $10M
Vulnerability: Misconfiguration
Date of audit report publishing: March 5, 2020
Conclusion: Out of Scope
Details of the Exploit
Background
Yearn Finance is a DeFi aggregator protocol. The yVault Tokens represent a user's share of the yVault that they are participating in, for example, deposit USDT to mint yUSDT.
Nature of the Vulnerability
The issue arises from an incorrect configuration where the Fulcrum iUSDC token was used in place of the Fulcrum iUSDT token. As a result, the yUSDT token, designed to generate yield based on USDT, was mistakenly based on a different token, iUSDC. This mismatch leads to unforeseen financial outcomes (either losses or gains) for holders of yUSDT, contingent on the fluctuating exchange rates between USDT and USDC.
CertiK Audit Overview
Conclusion
On April 13, 2023, yearn.finance was attacked due to a misconfiguration of the yUSDT contract, leading to a loss of approximately $10M.
The vulnerability is due to a misconfiguration of the yUSDT contract that uses the fulcrum iUSDC address, which is different from the yDAIv2.sol’s configuration and should be out of scope.
References
- Yearn Finance Twitter
- Samczsum Twitter
- Vulnerable yUSDT contract
- CertiK Audited yDAIv2.sol
