Yearn Finance Faces Major Setback Due to Exploit
Yearn Finance, a prominent player in the decentralized finance (DeFi) sector, has encountered a serious issue as its legacy TUSD vault was compromised by a sophisticated attack. Security firm PeckShield reported that the exploiters managed to siphon off around $300,000, converting the stolen assets into 103 Ether, which are now stored at the address 0x0F21…4066.
Concerns About Vulnerabilities in Outdated Smart Contracts
This incident has once again raised alarms regarding the weaknesses found in outdated and immutable smart contracts that remain operational on the Ethereum network long after they were first launched.
Misconfiguration in the TUSD Vault
Analysis by William Li revealed that the breach specifically targeted an older Yearn TUSD vault, referred to as the “iearn TUSD vault,” which had been replaced by more advanced versions. Investigators discovered that a misconfiguration in the vault’s strategy allowed the exploit to take place. The vault was designed to utilize a Fulcrum sUSD vault for its calculations, but it only accounted for sUSD balances that had been deposited into the vault. This flaw opened the door for a “donation attack,” enabling the attackers to manipulate the vault’s share price artificially.
The attackers exploited this vulnerability by executing a series of flash loans, allowing them to borrow large amounts of TUSD and sUSD without needing to provide collateral upfront. They first deposited sUSD to mint Fulcrum sUSD tokens and then put TUSD into the vault. Since the vault’s share price disregarded sUSD assets, the rebalancing function that withdrew all underlying sUSD caused the vault’s accounting to collapse. This artificial “price shock” permitted the attackers to mint a substantial number of Yearn TUSD tokens at a negligible cost, which they then sold on Curve pools, extracting value from liquidity providers before settling their flash loans.
A Pattern of Legacy Vulnerabilities
Security experts have noted that this incident resembles a previous attack in 2023, where a misconfigured yUSDT contract suffered losses exceeding $10 million. That attack was caused by a copy-and-paste error that pointed to the incorrect Fulcrum contract, allowing hackers to generate enormous amounts of yUSDT from minimal deposits. Despite prior warnings from skeptical voices on social media, the immutable quality of smart contracts often makes such vulnerabilities inevitable after deployment. The Yearn TUSD vault exploit is part of a troubling trend of attacks targeting old, neglected DeFi contracts. A similar case recently affected Ribbon Finance, previously known as Aevo, where an outdated version permitted attackers to manipulate proxy admin contracts, leading to a loss of $2.7 million. Both incidents underscore the persistent dangers associated with legacy protocols that still manage considerable funds on-chain despite being outdated.
Yearn Finance’s Official Response
In light of the exploit, a Yearn team member identified as storming0x confirmed that the current contracts are secure. The team reassured users that the outdated V1 TUSD vault was the only one impacted and highlighted that newer contracts are designed with lessons learned from prior vulnerabilities in mind. Nonetheless, this attack emphasizes the critical need for regular audits and the timely deprecation of legacy contracts to thwart similar exploits in the future.
