Yearn Finance Exploit Points to Dangers of Old Smart Contracts

Damage from the $11.6 million exploit appears contained to original version of DeFi protocol’s permissionless vaults

article-image

Source: Shutterstock / Ivan Babydov, modified by Blockworks

share

DeFi stalwart Yearn Finance was the target of a dizzyingly complex attack early Thursday that resulted in a roughly $11.6 million stablecoin haul for the culprit. 

But the root cause dates back over three years, to a version of the savings protocol that has long since been officially abandoned.

At least $8 million in stablecoins remains in the hacker’s control, most of which has been swapped to DAI, with the remaining millions exchanged for ether (ETH) and partially passed to crypto mixer Tornado Cash in an effort to obfuscate its origin.

Yearn’s YFI governance token initially fell by roughly 5% on the news, but remains up nearly 80% year-to-date, data from CoinGecko shows.

Yearn’s official Twitter confirmed the exploit, noting that the affected vault is “an immutable contract predating YFI, [that] was deprecated in 2020.”

The attacker was able to take advantage of a vulnerability in the deployment of one of the early Yearn vaults involving tether (USDT) deposits, which receive a Yearn-equivalent token yUSDT, according to security researchers Otter Sec, samczsun and Peckshield.

Using starting capital of just 10,000 USDT, the perpetrator was able to mint over 1.2 quadrillion yUSDT and then swap those for other stablecoins via Curve Finance to extract a total of $11.6 million.

Loading Tweet..

The attack vector is linked to an apparent oversight from February 2020, when the yUSDT token contract was deployed with a bug. 

Loading Tweet..

The detail identified by Samczsun regarding an apparent “misconfiguration” is notable, according to Ernesto Garcia, Smart Contract Engineer at OpenZeppelin.

“It seems weird to me that the Fulcrum iUSDC address is hard-coded,” Garcia told Blockworks. “If the contract went through a review, it was either an oversight (everyone assuming the correct address), or might’ve been changed before deployment as some tweets out there suggest.”

Garcia suggested that bytecode verification against the audited code from the time would determine whether there was any deliberate tampering.

Aside from the age of the bug, the execution of this attack required multiple steps, three different DeFi protocols, including Aave and a flash loan.

Diagram of the flow of funds; Source: Peckshield

Aave itself is unaffected, meaning its users are not at risk, according to Peckshield, nor are users of more recent Yearn vaults.

The unknown attacker converted $1.2 million USDT to 621 ETH, and used exploited TUSD stablecoin as collateral in Aave V2 to borrow a further 320 ETH ($640,000). Much of that ether has been deposited into the Tornado Cash 100 ETH anonymity set, blockchain records show.

A separate wallet linked to the first received over 4.7 million DAI and 2.5 million USDC, with the latter swapped to DAI, where it remains as of 9:30 am ET.

Hackers prefer DAI and ETH over USDC and USDT because the centralized stablecoins from Circle and Tether are more easily frozen, preventing further transfer.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

Brooklyn, NY

SUN - MON, JUN. 22 - 23, 2025

Blockworks and Cracked Labs are teaming up for the third installment of the Permissionless Hackathon, happening June 22–23, 2025 in Brooklyn, NY. This is a 36-hour IRL builder sprint where developers, designers, and creatives ship real projects solving real problems across […]

recent research

Research Report Templates (19).png

Research

Suilend has grown into the top money market and liquid staking provider on Sui. STEAMM, Suilend’s Superfluid AMM, presents a compelling avenue for growing market share within Sui’s DEX landscape and revenue generation for the protocol. Suilend’s multi-product suite position it well for owning market share across key verticals. While current metrics across the Sui ecosystem are likely inflated due to Sui Foundation incentive programs, SEND trades at amongst the lowest multiples in the lend/borrow sector, suggesting that a bull case for continued growth in the ecosystem may be mispriced.

article-image

Silk Road founder Ulbricht made a triumphant return to the Bitcoin Conference, 10 years on from sentencing

article-image

A Blockworks Research report looked at who could take up some of the marketshare in the launchpad space

article-image

Business-to-business stablecoin payments are on the rise, per a report from Artemis, Dragonfly and Castle Island

article-image

Crypto continues to do its thing: incentivizing behavior

article-image

Kraken will soon offer Backed ‘xStocks’ as Solana tokens

article-image

In a unanimous decision, the US Court of International Trade has ruled that Trump’s IEEPA tariffs are unlawful