Yearn Finance, a prominent decentralized finance (DeFi) protocol, suffered an $11.6 million exploit on Thursday.
The attack was the result of a vulnerability in the deployment of one of the early Yearn vaults dating back to February 2020, which involved deposits of Tether (USDT). This vault has long been officially abandoned by the protocol, but was still able to be exploited.
The attacker used a flash loan and multiple DeFi protocols, including Aave and Curve Finance, to swap their Yearn-equivalent tokens for other stablecoins, resulting in the $11.6 million heist.
The root cause of the exploit dates back to a previous version of the savings protocol that has been abandoned for over three years. Although the damage appears to be contained to the abandoned version of the protocol’s permissionless vaults, the incident highlights the dangers of using old smart contracts.
The hacker has swapped most of the stolen funds to DAI and exchanged some for ETH, which has been partially passed to crypto mixer Tornado Cash to obfuscate its origin.
Ernesto Garcia, smart contract engineer at OpenZeppelin, noted that the execution of the attack required multiple steps and was not a simple one.
The attack vector was linked to an apparent oversight from February 2020 when the yUSDT token contract was deployed with a bug.