Aave, Yearn Finance Exploiter Steals Over $10M in Stablecoins: Report

As DeFi hacks continue, the latest protocols to be targeted by exploiters are Aave and Yearn Finance, according to blockchain security firm PeckShield.

Aave’s version 1 was impacted, while versions 2 and 3 remained unaffected. The oldest version has been frozen since December 2022, and the team behind the lending protocol said it is monitoring the situation.

Lookonchain’s data suggest that the exploiter may have managed to rake in more than $10 million in stablecoins DAI, USDC, BUSD, USDT, and TUSD.
PeckShield clarified that the root cause is due to misconfigured yUSDT, not related to Aave.

“It appears the root cause is due to the misconfigured yUSDT, which is exploited to mint huge yUSDT (1,252,660,242,212,927.5) from a small $10K USDT. The huge yUSDT is then cashed out by swapping to other stablecoins..”

Aave Chan creator Marc Zeller, in a tweet, said no user can deposit or increase borrow size making the issue unlikely but not impossible.
He further revealed that the current size of V1 is $18 million, while the current size of the Aave safety module stands at $382.50 million.
Stories of hacks and exploits have been rampant this year. In March alone, cybercriminals stole $211.5 million worth of cryptocurrencies via 26 attacks.
Earlier this week, $3.3 million in ETH was drained from SushiSwap’s approval contract.