- Yearn Finance is investigating an exploit in an outdated iEarn contract.
- A bug drained multiple Curve pools, impacting liquidity providers.
- Previously, a bug in the Sushi Swap system resulted in a $3.3M loss.
The decentralized finance (DeFi) platform, Yearn Finance, has announced that it is investigating an issue with an outdated contract called iEarn, which predated more recent versions such as Vaults v1 and v2.
According to the notification on Thursday, the issue is exclusive to iEarn and does not affect current Yearn contracts or protocols. Yearn Finance said Vaults v1, which had upgradeable strategies, was obsoleted in 2021, but there was no indication that it has been affected, as well as the current version, Yearn v2 Vaults.
We're looking into an issue with iearn, an outdated contract from before Vaults v1 and v2.This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols.iearn is an immutable contract predating YFI, it was deprecated in 2020.Vaults v1, with…— yearn (@iearnfinance) April 13, 2023
However, Yearn Finance later realized that the recent exploit was caused by a bug in the legacy iEarn USDT (yUSDT) token contract. According to the official update, the bug persisted in several versions and led to multiple Curve pools, including BUSD and PAX, to be exploited and drained.
Liquidity providers who deposited their LP tokens into downstream protocols, such as users of the Yearn v2 and legacy v1, were impacted. While Yearn Finance’s team investigates the issue, DeFi users are urged to remain cautious and vigilant, particularly when dealing with older contracts.
Last week, the blockchain security firm PeckShield revealed that a bug in the approval system of SushiSwap’s RouterProcessor2 contract has led to the loss of more than 1,800 Ethereum tokens worth over $3.3 million.
Notably, the hack affected several chains, including Ethereum and Binance Smart Chain; PeckShield listed the affected addresses and advised users to revoke contract approvals.
It seems the @SushiSwap RouterProcessor2 contact has an approve-related bug, which leads to the loss of >$3.3M loss (about 1800 eth) from @0xSifu. If you have approved https://t.co/E1YvC6VZsP, please *REVOKE* ASAP!One example hack tx: https://t.co/ldg0ww3hAN pic.twitter.com/OauLbIgE0Q— PeckShield Inc. (@peckshield) April 9, 2023
Notably, a Smart Contract audit firm was able to block an attack transaction, rescuing 100 Ether, equivalent to nearly $200,000.
The post Yearn Finance Urges Caution as Legacy Contract Bug Drains Multiple Pools appeared first on Coin Edition.