A legacy version of the decentralized finance protocol Yearn has suffered an exploit, reviving concerns about misconfigured and immutable smart contracts that have held funds on the network years after being deprecated.

In an X post on Wednesday, Security firm PeckShield reported YearnFinanceV1’s hack resulted in losses of about $300,000. The stolen funds were swapped into 103 Ether and now sit at address 0x0F21…4066, according to Etherscan images shared by the firm.

The hackers took advantage of an outdated Yearn vault tied to TrueUSD, known as the “iearn TUSD vault,” which is still deployed on Ether despite being superseded by newer versions. A configuration flaw helped the attackers manipulate share prices through several transactions.

Yearn Finance misconfigured vault triggered price manipulation 

According to an analysis from pseudonymous crypto researcher and University of Science and Technology of China alumnus Weilin Li, the vault configured one of its strategies as a Fulcrum sUSD vault and calculated its share price using only the sUSD balance deposited.

This opened the door to so-called “donation attacks,” in which an attacker transfers assets directly into a vault to distort accounting metrics. After sending Fulcrum sUSD tokens into the Yearn TUSD vault, the perpetrators were able to artificially inflate the vault’s reported share price.

The issue was compounded by a rebalance function that withdraws all underlying assets in sUSD, an asset not included in the vault’s share price calculations. When the rebalance started, the vault’s share price tanked steeply and created a “price shock.”

Per PeckShield Alert’s Etherscan snapshot, the attacker executed sequenced flash loans by firstly borrowing large amounts of TUSD and sUSD without an upfront collateral. They then deposited sUSD to mint Fulcrum sUSD tokens before depositing TUSD into the Yearn TUSD vault. 

At that stage, all underlying assets of the TUSD vault consisted of Fulcrum sUSD tokens. The exploiter withdrew from the Yearn TUSD vault and called the rebalance function, forcing Fulcrum to redeem everything into sUSD. Because sUSD was excluded from share price calculations, the vault’s accounting collapsed, effectively driving the share price toward zero.

The attacker then transferred a small amount of TUSD back into the vault, pushing the share price to extremely low levels, and minted an outsized number of Yearn TUSD tokens at minimal cost. He ultimately counted gains by selling the cheaply acquired Yearn TUSD tokens on Curve pools, extracting value from liquidity providers before repaying the flash loans.

Yearn Finance recaps 2023 vulnerability, researcher recounts

Researcher Li found that the exploit was similar to an attack carried out in 2023, leading to losses exceeding $10 million. The immutable yUSDT contract targeted in that earlier incident was deployed more than three years ago, during the early days of iearn when the late Andre Cronje led the protocol.

Pessimistic security analysts had issued a warning about the vulnerability on social media before the exploit, but since immutable smart contracts cannot be patched or paused once deployed, it was inevitable.

 “iearn finance, Smoothswap, be careful. This address 0x5bac20…ed8e9cdfe0 got 10 ETH from Tornado and deploys contracts with flashloans using your addresses,” PS’ Nikiti Kirillov wrote.

A Yearn team member known as storming0x admitted the attack happened and reassured users that its current contracts were safe. Yet, Rekt News observers revealed it took 1,156 days for the DeFi protocol to spot a multimillion-dollar vulnerability.

Yearn yUSDT token contract generated yield from a basket of yield-bearing positions, including USDT deposits on Aave, Compound, dYdX and BzX’s Fulcrum. Since launch, however, yUSDT contained a copy-and-paste error which referenced the Fulcrum USDC address instead of the Fulcrum USDT contract. 

Using just 10,000 USDT, hackers were able to mint approximately 1.2 quadrillion yUSDT, draining value from the system before cashing out.

The Yearn incident comes less than a week after Cryptopolitan featured a $2.7 million drainage from an old contract belonging to Ribbon Finance, the rebranded version of Aevo. That attack involved repeated interactions with a proxy admin contract at address 0x9D7b…8ae6B76. The attacker invoked functions such as transferOwnership and setImplementation to manipulate price-feed proxies through delegate calls.

Claim your free seat in an exclusive crypto trading community - limited to 1,000 members.