Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 132Smart Contract Bug

Yearn iEarn Misconfigured yUSDT

A misconfigured legacy Yearn iEarn contract pointing at the wrong Fulcrum token minted 1.2Q yUSDT and drained $11M from Aave v1 before anyone noticed.

Date
Victim
Yearn Finance (iEarn)
Chain(s)
Ethereum
Status
Funds Stolen

On April 13, 2023, attackers exploited a misconfiguration in the legacy iEarn yUSDT contract — a Yearn Finance predecessor deprecated since 2020 — to mint over 1.2 quadrillion yUSDT from a $10,000 starting deposit. The resulting drain extracted approximately $11.5 million from various stablecoin liquidity pools.

What happened

iEarn was Yearn Finance's original yield-aggregator contract, deployed in early 2020 before the introduction of the modern Yearn vaults. The contract was immutable and was deprecated in mid-2020 when V1 vaults shipped, but had remained on-chain ever since.

A configuration error in iEarn's yUSDT contract had been silently latent for three years:

  • iEarn was supposed to deposit yUSDT's underlying USDT into Fulcrum's iUSDT pool.
  • The contract was instead configured to deposit into Fulcrum's iUSDC pool — a different token entirely.

The discrepancy meant that the exchange rate calculation between USDT and yUSDT was broken. The price was effectively any number the attacker could nudge it to by depositing USDT into a contract that interpreted the deposits as a different stablecoin's worth.

The attack:

  1. The attacker deposited a small initial USDT amount (~$10K).
  2. Through a sequence of carefully timed deposits and the misrouted yUSDT/iUSDC accounting, minted ~1.2 quadrillion yUSDT against essentially no value.
  3. Used the absurd yUSDT balance as collateral or swap input across Aave v1 markets and Curve pools that had stale yUSDT integrations.
  4. Drained $11.5M in mixed stablecoins (USDP, TUSD, BUSD, USDT, USDC, DAI) before anyone caught up.

Aftermath

  • Yearn confirmed publicly that the exploit was limited to the deprecated iEarn contract — modern Yearn vaults (V1, V2, V3) were unaffected, as was Aave's current deployment.
  • The stolen stablecoins were laundered through Tornado Cash.
  • The incident sparked broader audits of immutable legacy contracts still consuming on-chain liquidity across major protocols.

Why it matters

The iEarn incident demonstrates that deprecated contracts are not the same as decommissioned contracts. As long as a contract is on-chain and integrated with live markets, any configuration error baked into it can still be exploited — even three years after the team stopped supporting it.

The defensive response in the months after included:

  • Active deprecation flows that pause integrations and migrate liquidity out of legacy contracts when they're retired.
  • Cross-protocol audits specifically scoped at legacy contract surfaces that integrate with current markets.
  • Liquidity caps on Aave v1 / Curve / similar pools that had aged out of active maintenance.

The Yearn lesson is the unglamorous one: a contract you forgot about is a contract someone else will remember.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/business/2023/04/13/defi-protocols-aave-yearn-finance-likely-impacted-in-exploit-peckshield
  2. [02]quillaudits.medium.comhttps://quillaudits.medium.com/decoding-yearn-finance-11-million-hack-quillaudits-c9a75ac7e68b
  3. [03]slowmist.medium.comhttps://slowmist.medium.com/an-analysis-of-the-attack-on-yearn-finance-bd17f55460ea

Related filings