A recent security breach in the decentralized finance (DeFi) space resulted in the minting of over 1 quadrillion Yearn Tether (yUSDT), valued at $11.6 million in stablecoins. PeckShield, a blockchain security firm, detected the hack and reported that the attacker managed to mint yUSDT using a deprecated contract from Yearn Finance. The hacker then exchanged the yUSDT for other stablecoins and transferred 1,000 Ether, equivalent to almost $2 million, to a cryptocurrency mixer called Tornado Cash.
PeckShield illustrates the flow of funds from the attack. Source: PeckShield
Yearn Finance, the lending platform affected by the attack, confirmed that the issue was limited to an outdated contract, iearn, and that its current contracts and protocols were not affected by the exploit. Similarly, Aave, another DeFi protocol, confirmed that its Aave V1, V2, and V3 were not impacted by the hack.
We're looking into an issue with iearn, an outdated contract from before Vaults v1 and v2.
This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols.
iearn is an immutable contract predating YFI, it was deprecated in 2020.
Vaults v1, with…
— yearn (@iearnfinance) April 13, 2023
Although DeFi hacks continue to occur, the amount of money lost to such attacks has decreased in recent years. In the first quarter of 2023, blockchain security firm CertiK reported that losses due to hacks amounted to more than $320 million, significantly lower than the $1.3 billion and $950 million lost in the first and fourth quarters of 2022, respectively.
