Hackers attack platform and create BRL 6 trillion in cryptocurrency

Yearn Finance, the famous DeFi protocol, suffered a loss of BRL 57 million this Thursday (13). In the attack, hackers used a small amount of BRL 50,000 to create BRL 6 quadrillion in a stablecoin.

The Yearn Finance hack is the third this week, but the smallest. While South Korean broker GDAC lost BRL 69 million (9) on Sunday, Bitrue lost another BRL 113 million (14) on Friday. The cases do not appear to be connected.

In a note, Yearn stated that the hacker was focusing on an old contract that had already been abandoned by the project. That is, the new versions of the protocol would not be at risk.

Hacker turns BRL 50,000 into BRL 6 trillion to steal BRL 57 million

The attack was spotted by the security company PeckShield, which quickly notified the affected project while also detailing the details of the hack.

“It appears that the root cause is due to misconfigured yUSDT that was exploited to generate a huge amount of yUSDT (1,252,660,242,212,927.5) from a tiny 10,000 USDT. The huge amount of yUSDT will then be withdrawn and exchanged for other stablecoins.”

Despite creating BRL 6 trillion in yUSDT with just 10,000 USDT (BRL 50,000), the hackers only managed to steal BRL 11.6 million (BRL 57 million) from Yearn Finance.

In the image below, PeckShield shows withdrawals of various stablecoins, being US$3 million in DAI, US$2.5 million in USDC, US$1.7 million in BUSD, US$1.2 million in USDT and 61,000 in USDD.

Hackers made a profit of BRL 57 million in an attack on Yearn Finance, which involved withdrawing the amount into several stablecoins after exploiting a bug in the project’s smart contract. Source: PeckShield.

Yearn Finance acknowledges the hack, but says the problem is under control

In a note published this Thursday (13), Yearn Finance stated that the failure was related to “iEarn”, an old contract that was already considered abandoned. That is, there is no indication that the flaw will be exploited again.

“iEarn is an immutable pre-YFI contract, it was discontinued in 2020”wrote Yearn Finance. “Vaults v1, with upgradeable strategies, will also be discontinued in 2021. There is no evidence that this has been affected. The current version, Yearn v2 Vaults (written in Vyper), is also unaffected.”

“As noted earlier, the root cause of this morning’s iEarn exploit was a bug in the old USDT token contract (yUSDT) in iEarn.”

While the bug isn’t present in the new contracts, Yearn stated that users of Vaults v2 v1 were also affected in some way.

Finally, despite the hack, the YFI token is up this Friday (14) with a 7.5% increase, after the great moment of the two largest cryptocurrencies in the market, Bitcoin and Ethereum.

Source: Live Coins

follow:
\