2023.04.13 - Yearn Finance

On April 13, 2023, an attacker exploited a misconfiguration in the iearn yUSDT token contract on Ethereum, resulting in a loss of over $10M. The yUSDT contract was deployed over three years ago and belonged to the original iearn finance before it became Yearn Finance. Although it was outdated, it still contained significant funds. The newer Yearn vault contracts were not affected. At the time of writing, 1000 ETH of the stolen funds were cashed out through Tornado Cash, two exploiter addresses hold about $1.5M of assets each, while the third contains 7.4M DAI. Prior to the attack, Hypernative real-time alerts detected the suspicious contract about 90 minutes before it occurred. The attack was carried out in three transactions, with the second two causing most of the loss while the first transaction caused minimal loss.