Yearn Finance Protocol Faces Exploit, Renewing Concerns Over Smart Contract Security
A legacy version of the decentralized finance (DeFi) protocol Yearn Finance has experienced a significant security breach, raising alarms regarding the vulnerabilities associated with improperly configured and permanent smart contracts that have retained funds on the network long after their deprecation. On Wednesday, security firm PeckShield disclosed that the breach of YearnFinanceV1 resulted in approximately $300,000 in losses. The stolen assets have since been converted into 103 Ether, which are now located at the address 0x0F21…4066, as depicted in Etherscan images provided by the firm.
Exploit Targets Outdated Yearn Vault
The attackers exploited an outdated Yearn vault linked to TrueUSD, referred to as the “iearn TUSD vault,” which remains active on the Ethereum network despite being replaced by newer iterations. A flaw in the configuration allowed the assailants to manipulate share prices through a series of transactions.
Price Manipulation Through Vault Misconfiguration
According to an analysis by Weilin Li, a pseudonymous crypto researcher with a background from the University of Science and Technology of China, the vault had one of its strategies set up as a Fulcrum sUSD vault and determined its share price based solely on the sUSD balance held. This oversight enabled “donation attacks,” where attackers deposit assets directly into a vault to disrupt financial metrics. By introducing Fulcrum sUSD tokens into the Yearn TUSD vault, the assailants were able to inflate the vault’s reported share price artificially. Compounding the issue was a rebalance function that withdrew all underlying assets in sUSD—a token excluded from the vault’s share price calculations. When the rebalance was initiated, the vault’s share price plummeted dramatically, causing a “price shock.”
Execution of Flash Loans and Withdrawal Tactics
As outlined by PeckShield’s Etherscan snapshot, the attacker performed a series of sequenced flash loans, initially borrowing substantial amounts of TUSD and sUSD without needing upfront collateral. Following this, they deposited sUSD to mint Fulcrum sUSD tokens and subsequently added TUSD to the Yearn TUSD vault. At this point, all underlying assets in the TUSD vault comprised Fulcrum sUSD tokens. The attacker then withdrew from the Yearn TUSD vault and activated the rebalance function, which forced Fulcrum to convert everything back into sUSD. Since sUSD was not factored into share price calculations, the vault’s accounting system collapsed, pushing the share price towards zero. The attacker transferred a small quantity of TUSD back into the vault, driving the share price to extremely low levels and allowing them to mint an excessive number of Yearn TUSD tokens at a minimal cost. Ultimately, they profited by selling these cheaply acquired tokens in Curve pools, extracting value from liquidity providers before settling the flash loans.
Recollections of Previous Vulnerabilities in Yearn Finance
Researcher Weilin Li highlighted that this exploit mirrored a previous attack in 2023, which resulted in losses surpassing $10 million. The immutable yUSDT contract targeted in that earlier incident had been deployed over three years ago during the initial stages of iearn, under the direction of the late Andre Cronje. Li noted that the attack vector was identical to the previous exploit.
Warnings Ignored Prior to the Attack
Before the exploit occurred, cautious security analysts had alerted the community about the vulnerability via social media. However, due to the nature of immutable smart contracts, which cannot be altered or paused post-deployment, the attack was seen as unavoidable. Security analyst Nikiti Kirillov from PeckShield warned, “iearn finance, Smoothswap, be cautious. This address 0x5bac20…ed8e9cdfe0 received 10 ETH from Tornado and deploys contracts using flash loans with your addresses.” A Yearn team member, known as storming0x, acknowledged the attack’s occurrence and assured users that the current contracts were secure. Nevertheless, Rekt News revealed that it took the DeFi protocol 1,156 days to uncover a multimillion-dollar vulnerability.
Previous Exploits and Recent Hack Trends
The yUSDT token contract from Yearn generated yield from a portfolio of yield-bearing positions, including USDT deposits across platforms such as Aave, Compound, dYdX, and BzX’s Fulcrum. However, since its inception, the yUSDT contract contained a critical error that referenced the Fulcrum USDC address instead of the correct Fulcrum USDT contract. With just 10,000 USDT, hackers managed to mint approximately 1.2 quadrillion yUSDT, siphoning value from the system before cashing out. This incident follows closely on the heels of a recent attack involving Ribbon Finance, which saw $2.7 million drained from an old contract. That exploit involved repeated interactions with a proxy admin contract that manipulated price-feed proxies through delegate calls.
