Two of Ethereum’s most popular decentralized finance (defi) protocols, Aave and Yearn Finance, have been affected by an exploit, according to early reports this morning from blockchain security firm PeckShield. The company directed a tweet to Aave asking it to verify a specific transaction hash.
Hi @AaveAave @iearnfinance, you may want to take a look: https://t.co/61wSYHqwvs
— PeckShield Inc. (@peckshield) April 13, 2023
According to PeckShield, DeFi aggregator Yearn Finance is suspected to have been attacked by a flash loan. The exploit focuses on Aave V1, and the damage could exceed $11 million.
Top Ethereum DeFi Protocols With Security Vulnerability?
According to LookOnChain, the attacker received a mix of stablecoins from Yearn Finance and Aave. Based on current knowledge, the attacker captured 3,032,142 DAI, 2,579,483 USDC, 1,785,091 BUSD, 1,512,528 TUSD and 1,193,756 USDT. Aave responded to PeckShield in a tweet:
We are aware of this transaction, and it did not have an impact on Aave V2 and Aave V3. We are now confirming whether there is any impact on Aave V1, the oldest version of the protocol which has been frozen. We’re monitoring the situation closely to ensure no further concerns.
Marc Zeller, head of Aave integration, explained in a series of tweets that Aave V1 has been frozen since December 2022. This means that no user can deposit money or increase the credit amount, “making a problem unlikely but not impossible.”
“We’re aware of the situation and research is ongoing. More info when we have more clarity,” wrote Zeller, who added that V1 for offboarding has been discussed with a snapshot vote taking place in a few hours for governance to decide on offboarding.
Thus, according to Zeller, users can “in any case” repay and/ or withdraw their funds from V1 via the traditional app. The current size of V1 is $18 million, and the current size of the Aave security module is $382.50 million.
In response to a question from a Twitter user, Zeller also confirmed that there is currently no known impact on Aave V2 and V3. Zeller wrote, “To our current knowledge, zero.”
Pseudonymous crypto researcher Samczsun of Paradigm claims that the version of USDT developed by Yearn Finance, called yUSDT, has been broken since its launch about three years ago. He said it was misconfigured to use the Fulcrum iUSDC token instead of the Fulcrum iUSDT token.”
At press time, the ETH price stood at $1,920, maintaining its upward trend despite the fears of a dump due to yesterday’s Shanghai hard fork.
Featured image from sebastiaan stam / Unsplash, chart from TradingView.com