Yearn Finance Exploit

Report

Peckshield, a blockchain security company that provides services and solutions to various blockchain-based platforms and projects tweeted on April 13, 2023, an hour past noon tagging Aave and Yearn finance “You might wanna look into it” and posted the following transaction hash.

0xd55e43c1602b28d4fd4667ee445d570c8f298f5401cf04e62ec329759ecda95d

The hash seems to be of Ethereum mainnet, showcasing the public key address of the exploiter 0x5bac20beef31d0eccb369a33514831ed8e9cdfe0 interacting with his own contract 0x8102Ae88C617deb2A5471CAc90418Da4Ccd0579e.

Approximately $11 million worth of cryptos were hacked by the exploiter in the older version of Yearn Finance in ETH, DAI, USDC, and BUSD and were scattered between three of his existing addresses now tagged Iearn YUSD exploiter 2 ( Address: 0x16Af29b7eFbf019ef30aae9023A5140c012374A5 ) and Iearn YUSD exploiter 3 ( Address: 0x6f4A6262d06272c8B2E00Ce75e76d84b9D6F6aB8 ) by the etherscan.

While reported Initially, Aave stood unharmed amidst all the chaos. After the tweet from Peckshield and Samczsun, a software engineer and security researcher known for his work in the blockchain and particularly well-known for his contributions to the security of decentralized finance (DeFi) protocols and smart contracts. Aave‘s Team reacted fast to the messages and after carefully scrutinizing the situation concluded that none of the Aave v1 or Aave v2 platforms were actually exploited and that exploiter just used the Aave platform as a means to attack Yearn Finance.

The actual exploit seems to have been caused by a “Misconfigured” YUSD token which allowed the exploiter to mint 1,252,660,242,212,927.5 YUSD by paying USDT worth no more than $10,000. The exploiter then proceeded to swap those tokens for other ones stablecoins.  

While the contract used by the exploiter seems to be unverified and hence the actual ABI of the contract cannot be determined, looking into the transaction a little more carefully will conclude that : 

1. The contract had 3 functions namely init, run and finalize.
2. Exploiter called init once, then run twice and then finalize once.
3. Exploiter tried to call finalize function two more times but the transaction reverted with “Error: Withdraw must be greater than 0”

While this does not tell us what was going on inside that contract, It does give us some idea of what might be the possible working behind functions. 

It’s Worth noting that this is not the first time when yearn finance is exploited by attackers, They have faced similar exploits twice before.

One major exploit occurred in February 2021, when an attacker was able to drain $11 million from the DAI vault by exploiting a vulnerability in the Yearn smart contract. The attacker was able to manipulate the price feed of the DAI stablecoin to borrow large amounts of DAI from Yearn's vault and then sell it for other assets at an inflated price, resulting in a significant loss.

Another exploit occurred in November 2020, when an attacker exploited a vulnerability in Yearn's Vault contract to steal $2.8 million worth of DAI. The attacker was able to trick the contract into sending funds to a malicious contract by manipulating the transaction data.

Conclusion

In both cases, the exploits were caused by vulnerabilities in the smart contracts that were not properly secured. Yearn has since taken steps to improve the security of its smart contracts, including undergoing multiple security audits and implementing stricter code review processes. 

Even though, as with any complex smart contract system, there is always the potential for new vulnerabilities to be discovered and exploited, The damages can be avoided and mitigated to a great extent through smart contract auditing. The Auditing process involves experienced programmers and blockchain security experts reviewing the smart contracts thoroughly and checking for any bugs that might lead to potential bugs from both security and functional point of view.

The contracts also undergo the tough scrutiny of several static and dynamic automated testing tools for vulnerabilities that might dupe and hide from human eyes for better protection against exploiters.

To sum it up, smart contract auditing is essential to ensure security, accuracy, and compliance with the standards of the contract. Prevention is better than cure, Auditing helps to identify and mitigate potential risks and issues before the contract is deployed, which can save time, money, and resources in the long run.