Yearn Finance, the famous DeFi protocol, suffered a loss of BRL 57 million this Thursday (13). In the attack, hackers used a small amount of BRL 50,000 to create BRL 6 quadrillion in a stablecoin.
The Yearn Finance hack is the third this week, but the smallest. While South Korean broker GDAC lost BRL 69 million (9) on Sunday, Bitrue lost another BRL 113 million (14) on Friday. The cases do not appear to be connected.
In a note, Yearn stated that the hacker was focusing on an old contract that had already been abandoned by the project. That is, the new versions of the protocol would not be at risk.
Hacker turns BRL 50,000 into BRL 6 trillion to steal BRL 57 million
The attack was spotted by the security company PeckShield, which quickly notified the affected project while also detailing the details of the hack.
“It appears that the root cause is due to misconfigured yUSDT that was exploited to generate a huge amount of yUSDT (1,252,660,242,212,927.5) from a tiny 10,000 USDT. The huge amount of yUSDT will then be withdrawn and exchanged for other stablecoins.”
It seems that the root cause is due to the misconfigured yUSDT, which is exploited to earn huge yUSDT (1,252,660,242,212,927.5) from a tiny $10K USDT. The huge yUSDT is then paid out by exchanging to other stablecoins. https://t.co/Qz3vwtbcot pic.twitter.com/xlsc2Nlmle
— Peck Shield Inc. (@peckshield) April 13, 2023
Despite creating BRL 6 trillion in yUSDT with just 10,000 USDT (BRL 50,000), the hackers only managed to steal BRL 11.6 million (BRL 57 million) from Yearn Finance.
In the image below, PeckShield shows withdrawals of various stablecoins, being US$3 million in DAI, US$2.5 million in USDC, US$1.7 million in BUSD, US$1.2 million in USDT and 61,000 in USDD.

Yearn Finance acknowledges the hack, but says the problem is under control
In a note published this Thursday (13), Yearn Finance stated that the failure was related to “iEarn”, an old contract that was already considered abandoned. That is, there is no indication that the flaw will be exploited again.
“iEarn is an immutable pre-YFI contract, it was discontinued in 2020”wrote Yearn Finance. “Vaults v1, with upgradeable strategies, will also be discontinued in 2021. There is no evidence that this has been affected. The current version, Yearn v2 Vaults (written in Vyper), is also unaffected.”
“As noted earlier, the root cause of this morning’s iEarn exploit was a bug in the old USDT token contract (yUSDT) in iEarn.”
As noted earlier, the root cause of this morning’s iEarn exploit was a bug in the old iEarn USDT (yUSDT) token contract.
This bug persisted across versions and led to multiple Curve pools (y, busd, pax) being exploited and emptied. Liquidity providers who…
—desire (@iearnfinance) April 13, 2023
While the bug isn’t present in the new contracts, Yearn stated that users of Vaults v2 v1 were also affected in some way.
Finally, despite the hack, the YFI token is up this Friday (14) with a 7.5% increase, after the great moment of the two largest cryptocurrencies in the market, Bitcoin and Ethereum.
Source: Live Coins

Barry Siefert is an accomplished journalist and author at The Nation View. He is known for his expertise in the field of cryptocurrency, and has written extensively on the topic. With a background in finance and economics, Barry has a deep understanding of the underlying technology and market forces that drive the crypto industry.