Yearn Finance Hack Due To Vulnerabilities In yUSDT Contract, Bugs Still Not Fixed

Key Points:

• Yearn Finance, for the first time, disclosed that the cause of the hack was due to existing vulnerabilities in the smart contract of the yUSDT token.
• The bug is still not fixed, so liquidity providers that send LP tokens to downstream protocols are still affected.
• Yearn has stated that the current version, Yearn v2 Vaults, is unaffected.

Yearn Finance announced the progress of the attack investigation. It said that the root cause of the attack on Yearn was due to residual vulnerabilities in the iEarn USDT (yUSDT) token contract.

The team also said the bug exists in multiple versions and causes many Curve pools (y, busd, pax) to be exploited and exhausted. Currently, the vulnerabilities have not been fixed.

Liquidity providers depositing LP tokens into downstream protocols are still affected, this includes users of the Yearn v2(2) and legacy v1(2) vaults packing the LPs affected by this. In an earlier tweet, Yearn stated that the current version, Yearn v2 Vaults, is unaffected.

As mentioned earlier, a suspicious transaction was detected by Peckshield (DeFi technical testing unit). Two related names are Yearn Finance and Aave, veteran projects in the decentralized financial market.

Initial feedback revealed this was a flash loan assault on Yearn Finance using money obtained through Ave. However, many consumers are also worried that Aave may be impacted if any odd actions are made in relation to this loan product. Aave-related transactions are Repay transactions, which repay the product’s Core V1 pool.

“We’re looking into an issue with iearn, an outdated contract from before Vaults v1 and v2. This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols. iearn is an immutable contract predating YFI, it was deprecated in 2020.”

This protocol said.

Reports also indicate that $10 million has been extracted from Yearn Finance, located in a wallet with the address “0x16A…74A5”. At the time of the attack, the YFI token had dropped to less than $9,000. The YFI token’s price has been adjusted to the original level.

DISCLAIMER: The Information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.

Join us to keep track of news: https://linktr.ee/coincu

Foxy

Coincu News