- Aave and Yearn Finance, two popular Ethereum DeFi protocols, reportedly exploited.
- Potential damage from the exploit could exceed $11 million.
Two leading Ethereum decentralized finance (DeFi) protocols, Aave and Yearn Finance, have reportedly been targeted by an exploit, according to early reports from blockchain security firm PeckShield. The company addressed a tweet to Aave, requesting the verification of a specific transaction hash.
— PeckShield Inc. (@peckshield) April 13, 2023
PeckShield suggests that DeFi aggregator Yearn Finance may have fallen victim to a flash loan attack. The exploit appears to target Aave V1, with damages potentially exceeding $11 million.
Investigating the Security Breach
Based on current information, LookOnChain indicates that the attacker obtained a mix of stablecoins from Yearn Finance and Aave, including 3,032,142 DAI, 2,579,483 USDC, 1,785,091 BUSD, 1,512,528 TUSD, and 1,193,756 USDT.
Aave responded to PeckShield’s tweet, stating that they are aware of the transaction and are investigating any potential impact on Aave V1, the oldest version of the protocol which has been frozen.
We are aware of this transaction, and it did not have an impact on Aave V2 and Aave V3.
We are now confirming whether there is any impact on Aave V1, the oldest version of the protocol which has been frozen. We’re monitoring the situation closely to ensure no further concerns. https://t.co/uM9wtLNJMl
— Aave (@AaveAave) April 13, 2023
Marc Zeller, Head of Aave Integration, explained in a series of tweets that Aave V1 has been frozen since December 2022, meaning no user can deposit money or increase the credit amount, making issues unlikely but not impossible.
Upcoming Snapshot Vote and User Reassurance
Zeller mentioned that a snapshot vote would take place in a few hours for governance to decide on offboarding V1. Users can still repay and/or withdraw their funds from V1 via the traditional app. The current size of V1 is $18 million, while the Aave security module stands at $382.50 million.
In response to a query from a Twitter user, Zeller also confirmed that there is currently no known impact on Aave V2 and V3, stating, “To our current knowledge, zero.”
Yearn Finance’s yUSDT Issue
Samczsun, a pseudonymous crypto researcher from Paradigm, alleges that Yearn Finance’s version of USDT, called yUSDT, has been faulty since its inception approximately three years ago. He claims that it was misconfigured to use the Fulcrum iUSDC token instead of the Fulcrum iUSDT token.
Despite concerns about a potential dump due to the recent Shanghai hard fork, the ETH price at press time stood at $1,920, continuing its upward trajectory.