DeFi Protocols Yearn Finance and Aave Likely Suffer an Exploit

‘Misconfigured’ vulnerability likely impacted DeFi protocols Yearn Finance and Aave today, according to security company PeckShield.

PeckShield explained that a misconfigured yUSDT possibly allowed a bad actor to mint huge yUSDT before cashing it out.

What We Know About Losses to Yearn, Aave

While more details of the likely exploit are awaited, the security firm revealed that the misconfigured yUSDT allowed the minting of 1,252,660,242,212,927.5 yUSDT from $10K USDT. The firm noted, “The huge yUSDT is then cashed out by swapping to other stablecoins.”

As per Nansen, the yUSDT hacker distributed its $11.3 million in ETH, DAI, USDC, and BUSD money among three addresses.

The vulnerability that allowed the user to near infinite mint could reportedly be isolated to ” iearn legacy protocol launched in 2020 and liquidity pool” and Aave V1. Yearn’s Security developer, Stormed Blessed Ox, confirmed from the early reports that Yearn v2 vaults are likely unaffected.

Meanwhile, the Aave protocol confirms that the hack did not impact Aave V2 and Aave V3. The platform said, “We are now confirming whether there is any impact on Aave V1, the oldest version of the protocol, which has been frozen. We’re monitoring the situation closely to ensure no further concerns.”

Aave developer Marc Zeller is predicting no monetary impact on V1.

Paradigm researcher Samczsun underlined that yUSDT was misconfigured since its deployment, with the last script update 1000 days ago.

Meanwhile, other crypto commentators took the incident as a reminder to users to diversify their funds across different defi protocols.

This is a developing story that will be updated as details emerge.