Yearn Finance - April 13, 2023


Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    Table Of Content



    Yearn Finance is a well-known yield aggregator in the Decentralized Finance (DeFi) sector. It offers users, DAOs, and other protocols the opportunity to deposit digital assets and earn yield in return. Governed by YFI token holders and maintained by various independent developers, Yearn has a range of core products, such as Vaults, and a democratic governance system.

    This analysis aims to explore and explain the Yearn Finance hack that took place on April 13, 2023. We aim to delve into the intricate details of this exploit to allow both non-technical and technical readers to understand the chain of events that led to the theft of approximately $11.4 million.

    Hack Impact

    The exploit on Yearn Finance occurred due to a misconfiguration in the yUSDT vault, leading to a loss of approximately $11.54 million. This vulnerability was exploited by the attackers, leading to a significant financial impact and highlighting a fundamental flaw in the system's architecture.

    Yearn Finance Hack Explained

    Step 1: Wallet Preparation and Funding

    The attacker started by funding their wallet through Tornado Cash, a platform for transaction privacy on Ethereum. The exact details of the transaction remain obscured due to Tornado Cash's privacy-preserving features.

    Step 2: Flash Loan Acquisition

    After the funding, the attacker initiated a flash loan from the Aave platform, a lending protocol. This loan was large, encompassing 5 million DAI, 5 million USDC, and 2 million USDT.

    Step 3: yUSDT Contract Manipulation

    Following the acquisition of the flash loan, the attacker transferred these funds to the misconfigured yUSDT contract in Yearn Finance. Because of the wrong token dependency on iUSDC instead of the intended iUSDT, the contract erroneously minted a significant amount of yUSDT tokens to represent the newly deposited funds.

    Yearn Finance - yUSDT contract (misconfigured function)

    Step 4: Withdrawal and Rebalance

    The attacker then redeemed their yUSDT tokens, effectively withdrawing all the assets from the Aave V1 vault. Then, they minted bZxUSDC tokens and sent them to the contract. By doing this, the attacker was able to manipulate the price of each share. A subsequent rebalance of the vault reduced the value of each yUSDT token to zero.

    Step 5: Exploiting Misconfiguration

    At this point, the attacker exploited the aforementioned misconfiguration. By depositing 1 wei (a tiny fraction of 1 Ether, similar to a cent in relation to a dollar) of USDT to the yUSDT contract, the misconfiguration allowed the attacker to mint over 1 quadrillion yUSDT tokens. This extreme minting was possible due to the low value of the yUSDT tokens, each essentially worth zero after the rebalance.

    Step 6: Conversion and Payback

    The attacker then proceeded to swap the wrongly minted yUSDT for USDT, USDC, and DAI tokens through Curve Finance pools. After obtaining these stablecoins, the attacker repaid the flash loan they had taken from Aave.

    Step 7: Profit Extraction

    After repaying the flash loan, the attacker effectively kept the remaining funds, totaling about $11.54 million in the form of stablecoins. This marked the end of the exploit.

    The Misconfigured Fruit Stand: A Simple Analogy of the Yearn Finance Hack

    Picture a bustling fruit stand that sells two types of fruit: apples and oranges. The fruit stand utilizes a sophisticated computer system to accurately track its inventory of each fruit type.

    However, a critical mistake was made during the system setup: the barcode assigned for apples was mistakenly used for oranges. The consequence? Every time someone brings oranges to the stand, the system mistakenly recognizes and registers them as apples.

    One day, a cunning customer (the attacker in our case) discovers this flaw. They borrow a massive amount of oranges and apples from another fruit stand (akin to taking a flash loan), and subsequently deposit them into the misconfigured fruit stand. The flawed system registers this transaction as a considerable influx of apples due to the barcode mix-up.

    Subsequently, the system recalculates the value of each apple share based on the total quantity of apples - a quantity falsely inflated due to oranges being erroneously classified as apples. With the system perceiving an excessive stock of apples, the value of each apple share drops significantly.

    Seizing this opportunity, the cunning customer deposits a single apple into the fruit stand (equivalent to 1 wei of USDT). Given the incredibly low value of each apple share (due to the miscount), the system grants the customer an enormous amount of apple shares in return.

    Finally, the cunning customer sells these apple shares to other customers at the current market price, reaping a hefty profit. Concurrently, they return the borrowed fruits to the original stand (equivalent to repaying the flash loan), thus clearing their obligations while pocketing the gains from the apple shares sold.

    In this analogy, the 'fruit stand' is representative of the yUSDT contract, 'apples' symbolize USDT, 'oranges' signify USDC, and 'apple shares' parallel yUSDT tokens. Just like the cunning customer who capitalized on the fruit stand's system flaw, the attacker in the Yearn Finance Hack exploited a misconfiguration to walk away with significant illicit profits.

    Recommendations for Enhanced Security

    This exploit could have been prevented with diligent validation and verification of the Fulcrum address before deployment. The deployer should have provided the correct address for the iUSDT token, not iUSDC, in the constructor.

    It further underscores the importance of conducting comprehensive security reviews of deployment scripts to ensure all deployment parameters are correctly configured.

    Transaction Analysis

    The attack on Yearn Finance involved multiple addresses and transactions. The addresses and the transactions used in this exploit were:

    Attacker Externally Owned Accounts (EOAs)

    Attacker EOA-1: 0x5bac20beef31d0eccb369a33514831ed8e9cdfe0

    Attacker EOA-2: 0x16Af29b7eFbf019ef30aae9023A5140c012374A5

    Attacker EOA-3: 0x6f4A6262d06272c8B2E00Ce75e76d84b9D6F6aB8

    Attacker Contract Accounts

    Attacker Contract-1: 0x8102ae88c617deb2a5471cac90418da4ccd0579e

    Attacker Contract-2: 0x9fcc1409b56cf235d9cdbbb86b6ad5089fa0eb0f

    Victim Contract Account

    Victim Contract: 0x83f798e925BcD4017Eb265844FDDAbb448f1707D

    Attack Transactions:

    First Transaction: 0xd55e43c1602b28d4fd4667ee445d570c8f298f5401cf04e62ec329759ecda95d

    Second Transaction: 0x8db0ef33024c47200d47d8e97b0fcfc4b51de1820dfb4e911f0e3fb0a4053138

    At the time of writing this analysis, the attacker holds around $9,817,782 across all the EOAs involved in this exploit.


    The Yearn Finance hack is a stark reminder of the necessity of stringent smart contract auditing in the DeFi landscape. By exploiting a misconfiguration in the yUSDT vault, the attacker pilfered approximately $11.54 million, highlighting the risks associated with overlooking security checks.

    Preventative measures, such as those offered by security firms like BlockApex, are crucial. Their meticulous smart contract audits can identify potential vulnerabilities and rectify them before deployment, ensuring the robustness of the DeFi platform.

    The Yearn Finance incident underlines the importance of security diligence. Through rigorous audits and continuous attention to security, the DeFi community can look to build safer, more resilient systems for users and stakeholders alike.

    More Hack Analysis

    Kokomo Finance - Hack Analysis (March 27, 2023)

    Kokomo Finance has taken off with approximately $4 million worth of user funds, leaving users unable to withdraw their funds. Wrapped Bitcoin deposits were rugged, with almost $2M of tokens still remaining in the project’s pools on Optimism.

    SAFEMOON - March 29, 2023

    Safemoon suffered an attack in which the SFM/BNB pool was drained, resulting in a loss of $8.9M worth of ‘locked LP’. The attack was carried out by exploiting a vulnerability in the new Safemoon contract that allowed anyone to burn SFM tokens from any address, thus inflating the price of SFM tokens in the pool.

    Pickle Finance Hack Analysis & POC (Nov 21st, 2021)

    On 21sth November 2021, Pickle finance was hacked, where an attacker was able to drain $19M DAI from the pDai jar. The attack exploited multiple inconsistencies & flaws in the logic of the pickle jar contract.

    Dforce Network - February 13, 2023

    The attack on dForce network had significant consequences for the platform and its users. By exploiting a reentrancy vulnerability in the wstETH/ETH pool on Curve and the dForce wstETH/ETH Vault, the attacker was able to manipulate the virtual price of the pool, which in turn affected the oracle used by the dForce wstETH/ETH Vault

    Beanstalk Hack Analysis & POC (Apr 17, 2022)

    Beanstalk protocol got hacked for around $74M through exploiting the governance mechanism & stealing all the BEANS & Curve LP tokens stored in the Beanstalk protocol.

    Harvest Finance Hack Analysis & POC

    Harvest finance got hacked for around $34M due to a flashloan attack which manipulated the price in the Curve pool to retrieve more USDT tokens than originally deposited USDT amount in fUSDT pool.

    DEUS DAO - May 6, 2023

    The Deus DAO hack had significant financial consequences, with users collectively losing around $6.5 million across Arbitrum, BSC, and Ethereum chains. Furthermore, the hack caused the DEI stablecoin to depeg by more than 80%, destabilizing its value and potentially shaking investor confidence.

    SushiSwap - April 9, 2023

    On April 9, 2023, SushiSwap suffered a security breach which led to a loss of over $3.3 million. The attack exploited a flaw in the RouteProcessor2 contract of SushiSwap's router processor. The fallout was felt across several major chains that had previously authorized the RouteProcessor2 contract.

    Platypus Finance - February 16, 2023

    On February 17, 2023, Platypus Finance was hacked, resulting in a loss of approximately $8.5 million worth of assets. In this hack analysis, we will delve into the details of the attack, the vulnerability that was exploited, and the impact it had on the platform and its users.

    1 2 3
    Designed & Developed by: 
    All rights reserved. Copyright 2023