Investigating the Yearn Finance Attack: What You Need to Know

On April 14th, it was reported that Yearn Finance posted on Twitter the progress of the investigation into the attack, stating that as previously stated, the root cause of the attack on Yearn was a vulnerability left in the iEarn USDT (yUSDT) token contract. This vulnerability exists in multiple versions and leads to multiple Curve pools (y, busd, pax) being exploited and exhausted. The liquidity providers who deposit LP tokens into downstream protocols are still affected, including users who encapsulate the Yearn v2 vault (2) and the old version v1 vault (2) of these affected LPs. In previous tweets, Year stated that the current version of Year v2 Vaults is not affected.

Year: The vulnerability in yUSDT token contract exists in multiple versions, and the liquidity providers of downstream protocols are still affected

Introduction

Cryptocurrencies have been making headlines lately, and Yearn Finance has been no exception. On April 14th, it was reported that Yearn Finance posted on Twitter about the progress of the investigation into the attack, revealing that as previously stated, the root cause of the attack on Yearn was a vulnerability left in the iEarn USDT (yUSDT) token contract. This vulnerability exists in multiple versions and leads to multiple Curve pools being exploited and exhausted. In this article, we will take a closer look at the attack and its implications for those affected.

What happened?

The attack on Yearn Finance happened on February 4th, 2021, and involved a flash loan that exploited a vulnerability in the iEarn USDT (yUSDT) token contract. The attacker was able to drain funds from the yDAI+yUSDC+yUSDT+yTUSD pool, resulting in a loss of $11 million USD.

Root cause of the attack

Yearn Finance announced that the root cause of the attack was a vulnerability left in the iEarn USDT (yUSDT) token contract, which existed in multiple versions and led to multiple Curve pools being exploited and exhausted. The liquidity providers who deposit LP tokens into downstream protocols are still affected, including users who encapsulate the Yearn v2 vault (2) and the old version v1 vault (2) of these affected LPs. However, it’s essential to note that the current version of Year v2 Vaults is not affected.

Implications for those affected

The attack had significant implications for those who were affected, with some losing millions. It highlights the need for more robust security measures and better collaboration between players in the industry to prevent such attacks from happening in the future.

What’s being done to prevent future attacks?

Yearn Finance has been working hard to fix the vulnerability in the iEarn USDT (yUSDT) token contract and prevent a similar attack from happening again. They have also been working with other players in the industry to come up with solutions that will make the ecosystem more robust and secure.

Conclusion

The attack on Yearn Finance was a significant loss and made it clear that the cryptocurrency industry needs to do better when it comes to security. While the root cause of the attack has been identified and measures taken to prevent future attacks, more needs to be done to ensure that users’ funds are safe from malicious actors.

FAQs

Q1. What is Yearn Finance?

A. Yearn Finance is a decentralized finance (DeFi) protocol that allows users to optimize their yields on their cryptocurrency holdings.

Q2. What is a flash loan?

A. A flash loan is a relatively new type of cryptocurrency loan that allows the borrower to obtain a loan without putting up collateral.

Q3. How do I protect my funds from such attacks?

A. It’s essential to do thorough research and use various security measures like two-factor authentication, cold storage, and multi-signature wallets. Additionally, use reputable exchanges and protocols for your transactions.