Dangers of Old Smart Contracts

A dizzyingly complex attack in the early hours of Thursday saw the DeFi stalwart Yearn Finance exploited for roughly $11.6 million stable coin haul. The root cause of the exploit dates back as far as three years ago as a version of the savings protocol that has long since been abandoned.

Approximately $8 million is stablecoins is still being held by the hacker of which it has been swapped into DAI and the remaining millions have been swapped for Ethereum (ETH) that was partially passed through crypto mixer Tornado Cash to obfuscate its origin. The governance token for Yearn (YFI) fell roughly by 5% when the news broke however It remains nearly 80% up on its year-to date as per data from CoinGecko.

Confirmation of the exploit was given via Yearns twitter page noting that the affected vault is an immutable contract that predates YFI deprecated in 2020. Vulnerability in the development of the early Yearn vaults that involved tether (USDT) deposits were taken advantage of by the attacker as these received a Yearn equivalent token (yUSDT) as per security researchers Samczsun, Peckshield and Otter Sec.

The perpetrator exploited the misconfigured yUSDT minted over 1.2 quadrillion yUSDT (1,252,660,242,212,927.5) using a starting capital of just 10,000 USDT then proceeded to swap the minted coins for other stablecoins through Curve Finance for a total of $11.6 million. According to Peckshield the execution of the attack required multiple steps apart from the age of the bug, three different protocols Aave and a flash loan were involved. Currently Aave remains unaffected resulting in users not being a risk neither are users of more recent Yearn vaults according to Peckshield. 

Peckshield revealed that the hacker converted $1.2 million USDT into 621 ETH which then used that to exploit TUSD stablecoin as collateral in the Aave v2 protocol to borrow an extra 320 ETH. Majority of the Ether has been deposited into crypto mixer Tornado Cash 100 ETH anonymity set as per blockchain records. From there a separate wallet linked to the first received over 4.7 million DAI and 2.5 million USDC later swapped to DAI as of 9:30 ET remains there. As centralized stablecoins from Circle and Tether are easily frozen hackers prefer ETH and DAI over USDC and USDT as they can be prevented from further transfers.