Today, Web3 security firm PeckShield Inc. reported a hacking attack on decentralized protocols Yearn Finance and Aave. At the time PeckShield posted its tweet about the attack, Yearn Finance had already lost over $10 million in stablecoins, while Aave claimed in its tweet that none of the three versions of its protocol were affected.
"We are aware of this transaction and it did not have an impact on Aave V2 and Aave V3. We are now confirming whether there is any impact on Aave V1, the oldest version of the protocol which has been frozen. We are monitoring the situation closely to ensure no further concerns," Aave commented on PeckShield's post, which includes a link to Etherscan's description of a suspicious transaction.
In all likelihood, the DeFi protocols fell victim to a flash loan attack, an exploit similar to the one in which another protocol, Euler, lost nearly $200 million in March.
As per the leading data analytics firm Chainalysis, "Flash loans are executed by smart contracts and enable participants to quickly borrow funds without the need for collateral. However, these loans must be repaid in full within the same transaction, or else the entire transaction, including the loan itself, will be reversed."
Flash loans are often used by traders to prevent their positions from being liquidated, as well as for collateral swapping and arbitrage, a trading strategy that involves buying assets from one market and exchanging them on another market to make a profit on the price difference.
Hackers, however, frequently use flash loans to manipulate the pricing oracles of DeFi protocols. "They do this by taking advantage of the lack of collateralization to borrow huge amounts of funds, which they can then use to manipulate token prices, typically by buying or short-selling high volumes of tokens with thin supply levels," Chainalysis explains.
"It seems like the iearn USDT token (yUSDT) has been broken since the deployment, which was over 1000 days ago. It was misconfigured to use the Fulcrum iUSDC token instead of the Fulcrum iUSDT token," Twitter user Samczsun shared with the crypto community one of the possible scenarios describing the cause of the exploit.
Meanwhile, Yearn Finance claims that the attack has affected exclusively iearn, an outdated contract released before Yearn's Vaults v1 and v2. "iearn is an immutable contract predating YFI, it was deprecated in 2020. Vaults v1, with upgradeable strategies, was also deprecated in 2021. There is no indication it is affected. The current version, Yearn v2 Vaults (written in Vyper), remains unaffected as well," the team behind Yearn Finance added in its tweet.
Some members of the crypto community disagree with the company's statement. They have already reported that the v1 vault is affected too and its users have lost their money.
A recent post from PeckShield states that Yearn Finance lost nearly $11.6 million. "The hacker exploits a bug in the misconfigured yUSDT to mint an extremely huge amount of yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. Next, the minted yUSDT is then swapped to other stablecoins," the cybersecurity company stated in its post.
PeckShieldAlert, the Twitter account of PeckShield's Chrome extension, has reported that the loot includes 3 million DAI, 2.58 million USDC, 1.79 million BUSD, 1.2 million USDT, 1.5 million TUSD, and 61,000 USDP.
The incident has caused a lot of confusion among crypto users, who considered it particularly illogical to keep the old versions of the protocol, which can subsequently cause bugs and give hackers more opportunities to exploit the deposited funds. Others believe that the immutability of the blockchain network is necessary for the security of transactions. Yet, this feature also makes it impossible to change the protocol easily, and new versions of the protocol may be required to fix critical bugs.
Despite the exploit, the value of AAVE, the token of Aave, has increased by more than a dollar reaching the price of $81.14 in a single day. The price of YFI, the token from Yearn Finance, has declined by almost $0.50 today. Yet, at press time, the price rose again by around $0.08 and the token traded at $9.08.