Aave and Yearn Finance were hacked and lost $10M

Decentralized finance (DeFi) protocols Aave and Yearn Finance reportedly became victims of an exploit, with the attacker draining over $10M in stablecoins. 

Onchain analytics platform LookOnChain reported the exploiter took away 3,032,142 DAI, 2,579,483 USDC, 1,785,091 BUSD, 1,512,528 TUSD, and 1,193,756 USDT.

An exploiter attacked @iearnfinance and @AaveAave.

The exploiter got over $10M in stablecoins.

Including:

– 3,032,142 $DAI
– 2,579,483 $USDC
– 1,785,091 $BUSD
– 1,512,528 $TUSD
– 1,193,756 $USDThttps://t.co/nT0PhL1cDC pic.twitter.com/ukOQagk1n5

— Lookonchain (@lookonchain) April 13, 2023

According to Peckshield, the misconfigured yUSDT, which is exploited to create enormous yUSDT (1,252,660,242,212,927.5) from a meager $10K USDT, is the real cause of the exploit and not Aave.

“The huge yUSDT is then cashed out by swapping to other stablecoins,” Peckshield revealed.

Hi @AaveAave @iearnfinance, you may want to take a look: https://t.co/61wSYHqwvs

— PeckShield Inc. (@peckshield) April 13, 2023

 

Aave acknowledged the exploit noting it did not have an impact on Aave V2 and Aave V3. The DeFi platform stated the team is now confirming whether there is any impact on Aave V1, the oldest version of the protocol which has been frozen. 

Marc Zeller, the Aave integrations lead, later tweeted that the Aave V1 has been frozen since December 2022. “The current size of V1 is $18M, and the current size of the Aave safety module is $382.50M,” Zeller continued.

Contributor to Yearn Finance @storming0x claims that the Yearn v2 vaults do not appear to be affected by the exploit. Aave and Yearn Finance are keeping an eye on the situation right now.

Numerous exploits have already been discovered for the year 2023, with significant DeFi platforms suffering the most. Recently, a $3.3 million exploit brought on by a RouterProcessor2 contract bug cost SushiSwap $3.3 million.