DeFi Protocol Yearn Finance Exploited for $11 Million in Flash Loan Attack

On 13 April 2023 at 05:52:35 AM +UTC, iearn Finance, a deprecated version of DeFi protocol Yearn Finance, experienced a Flash Loan Attack that led to millions of dollars in losses.

The losses that occurred on Aave version 1 could exceed a staggering $11M, which includes a range of stablecoins such as DAI (3032142), USDC (2579483), BUSD (1785091), TUSD (1512528), and USDT (1193756), amongst other currencies.

Initially, it was believed that the exploit had impacted Aave V1. Nonetheless, the developers of Aave have clarified that the protocol was not affected by the exploit, and it was only used for swapping tokens to carry out the exploit. The main stablecoin involved in the exploit was Yearn Finance’s yUSD.

Detailed Analysis

The following are the links to the hacker addresses:

Hacker address 1:

Hacker address 2:

Hacker address 3:

Here are the details related to the attack:

Hacker contract address 1:

Hacker contract address 2:

Attack transaction 1:

Attack transaction 2:

Attack Process

The attack was executed by exploiting a flaw in the yUSDT contract. Specifically, the fulcrum in the contract was using the iUSDC token instead of the iUSDT token, resulting in a mistaken dependency on the pool’s underlying token. To exploit this, the hacker first borrowed a significant amount of flash loans and then exchanged them through Curve to carry out the attack.

The attack involved the hacker minting bZxUSDC and sending it to the contract, which raised the price of each share. Subsequently, the hacker triggered a rebalance, resulting in the redemption of bZxUSDC for a considerable amount of USDC, causing the value of each yUSDT to plummet to nearly zero.

Subsequently, the hacker transferred 1 wei USDT to the yUSDT contract, which enabled them to mint yUSDT at the price of just 1 wei USDT. This essentially constituted free minting. The hacker then profited by exchanging the minted yUSDT through the Curve pool.

Once the hacker profited, they repaid the borrowed flash loans and swiftly exited the scene. The profits were then transferred to the hacker’s address.

Status of Funds

As of now, the funds remain in the three hacker addresses and have not been moved. We will continue to closely monitor the situation and provide updates in case there are any further developments or movements of the funds.

Official Updates

Yearn Finance has acknowledged the exploit and released a statement stating that the attack was related to an outdated contract that predates Vaults v1 and v2. Furthermore, they claim that the attack does not affect their current contracts or protocols.

At the moment, Yearn Finance is conducting internal investigations to gather more information on the attack.

Marc Zeller, the founder of Aave, released a statement clarifying that the exploit had no impact on Aave V1, and did not affect V2 and V3 either.

Interestingly, Zeller claims that the exploit has even worked in favor of some users of Aave V1. According to him, the exploiter paid off the USDT debts of several users, resulting in them benefiting from the attack.

The attack that targeted the iearn Finance protocol emphasizes the significance of enforcing strict security measures, such as conducting comprehensive audits and regularly scanning for weaknesses.

With the decentralized finance landscape expanding, it is imperative for projects to prioritize the safety of their users’ assets and adopt industry best practices to minimize the possibility of similar attacks occurring in the future.


More Posts