A hacker has exploited an outdated version of Yearn Finance, one of the most respected and long-standing DeFi protocols on Ethereum, using a bug that was present in the protocol’s code since it was deployed more than three years ago.
At around 6:00 UTC Thursday morning, an attacker used the misconfigured code to drain $11.6 million worth of assets from one of the original Yearn contracts deployed by Yearn creator Andre Cronje at the start of the DeFi boom in 2020.
Vulnerable
“People forget about old contracts that might be vulnerable,” pcaversaccio, an independent security researcher, told DL News. He said that some black hat hackers scan old contracts that still hold funds specifically looking for exploits. “Time is not the best security indicator,” he said.
NOW READ: Lebanon’s crypto brokers dodge turmoil and masked gunmen to serve clients
The exploit worked by letting a hacker mint over one quadrillion of Yearn’s placeholder yUSDT tokens using just 10,000 USDT stablecoins. The yUSDT was then swapped for other stablecoins and Ether, which the hacker then withdrew from the protocol.
Legacy version
The old version of Yearn is immutable, meaning that its code could not be changed after it was deployed on the Ethereum blockchain. This old version has since been replaced by Yearn v2, an updated version of the protocol. The exploit is limited to the legacy version and does not affect Yearn v2′s code.
NOW READ: Do Kwon associate Han bought $2.2m flat in Belgrade during manhunt
Despite Yearn deprecating, or discouraging, other protocols from building on top of the vulnerable code, on-chain records show it was still in regular use before the exploit.
0xJiji, a pseudonymous Yearn core contributor, said in a Telegram chat that the affected contract was “immutable”, meaning it cannot be altered, and was deployed in 2020. But the catch is that it was issued on a “I test in prod” basis.
That’s shorthand for “test in production,” and this was a favoured characteristic of Cronje’s work. He preferred to deploy code in a live environment and fix problems as they appeared. The problem with this approach is that it puts users’ assets at a much greater risk than developing more slowly before they went online.
Harsh criticism
Cronje has received harsh criticism from the DeFi community for deploying untested code, and his laissez-faire attitude has cost users of his protocols dearly. In September 2020, a Cronje project called Eminence suffered a $15 million exploit, which Cronje himself attributed to his preference to “test in prod.”
Then in early 2021, Yearn Finance’s code was exploited for $2.8 million.
NOW READ: Andre Cronje: The rise and fall of a DeFi God
Today’s Yearn exploit comes after a spate of hacks this year targeting DeFi protocols on Ethereum. In March, lending protocol Euler Finance lost almost $200 million due to a bug in its code.
More recently in April, a hacker stole $3.3 million from decentralised exchange Sushi, exploiting code which the protocol had deployed just three days prior. In both cases, the hackers eventually returned funds to these protocols, mitigating the majority of the losses.
Whether the Yearn hacker will return the stolen funds remains unclear. So far, the hacker has sent 1000 Ether, worth almost $2 million through the coin mixing protocol Tornado Cash.
When hackers send funds through coin mixers it historically indicates they do not intend to return them.