Hacker exploited Yearn Finance and stole over $11.5m

The popular decentralized finance (DeFi) platform, Yearn Finance, was recently hacked using the open-source liquidity protocol, Aave. Per the on-chain data, the hacker has already moved more than $11.5 million in stablecoins.

According to the on-chain data, the exploiter used Aave V1 to get 3.02 million DAI, 2.57 million USDC, 1.78 million BUSD, 1.51 million TUSD and 1.19 million USDT, among other assets, from Yearn Finance. The hacker used Tornado Cash to remove tracks of the stolen funds.

Moreover, the blockchain security firm PeckShield noted that the “root cause” of the exploit was not Aave, but rather the “misconfigured” yUSDT — Yearn Finance’s USDT mirror. Per the tweet, the hacker minted 1.2 quadrillion yUSDT coins, using only $10,000 USDT, swapping the glitchy tokens with “other stablecoins.”

According to the pseudonymous security researcher and Yearn Finance contributor, Storming0x, the hacker used the “iearn legacy protocol,” which was launched in 2020. 

Blockchain security company OtterSec states that the hacker repaid some USDT loans on Aave and then “rebalanced the yUSDT token.” Furthermore, the exploiter used Curve’s y Swap to acquire real stablecoins using the misconfigured yUSDT.