In April 2023, a vulnerability hidden in Yearn’s smart contract for about three years was exploited by an attacker. The attacker managed to steal an estimated $10 million from the protocol.
Inside the Attack
The Yearn hack exploited a misconfiguration in the project’s immutable yUSDT token contract. The contract included an address that should have pointed to the Fulcrum USDT contract but, instead, pointed to the Fulcrum USDC contract.
This copy-paste error caused the contract to miscalculate its pool ratio during the attack. The attacker exploited this miscalculation to manipulate how the contract valued the underlying share prices of yUSDT tokens. As a result, the attacker was then able to mint 1.2 quadrillion yUSDT after depositing only 10,000 USDT.
Lessons Learned From the Attack
The Yearn attacker exploited an old Yearn strategy, and the exploit didn’t affect the value held in current contracts. However, the attackers were able to steal approximately $10 million by taking advantage of a simple copy-paste bug that flew under the radar for years.
These types of vulnerabilities underscore the importance of comprehensive smart contract security audits. For more information on how to secure your DeFi projects, reach out to our Web3 security experts here.