Yearn Finance exploited for more than $11 million

A bug in a token issued by the Yearn Finance defi protocol resulted in a loss that has been estimated at around $11.6 million. An attacker was able to use a 10,000 USDT deposit to mint more than 1.2 quadrillion yUSDT, a wrapped version of the Tether (USDT) stablecoin. Losses were limited somewhat by the fact that only older versions of the Yearn protocol were vulnerable to the bug, and the version had been "frozen" since December 2022.

The attacker began swapping tokens out for other stablecoins shortly after the exploit, moving them into lending projects like Aave and laundering them through the Tornado Cash cryptocurrency mixer. There were early concerns that Aave itself was impacted by an exploit, but it was later clarified that Aave had simply been used to swap tokens involved in the Yearn exploit, and did not appear to itself be vulnerable.

This is not the first exploit involving Yearn Finance, which was hacked for $11 million in 2021, and which lost around $1.4 million in connection to the massive Euler Finance attack in March 2023.