Yearn Finance, a prominent player in the decentralized finance (DeFi) space, has encountered a major setback as its outdated TUSD vault was compromised by a sophisticated attack. Security firm PeckShield reported that the perpetrators successfully siphoned off around $300,000 worth of assets, converting the stolen funds into 103 Ether, which are now stored at the address 0x0F21…4066.
### Concerns Over Vulnerable Smart Contracts
This incident has reignited discussions regarding the risks associated with outdated and unchangeable smart contracts that continue to operate on the Ethereum blockchain long after their initial launch.
### Misconfigured TUSD Vault
Analysis from William Li revealed that the breach specifically targeted the older Yearn TUSD vault, known as the “iearn TUSD vault,” which had been replaced by more advanced versions. The investigation indicated a misconfiguration in the vault’s strategy setup, which relied on a Fulcrum sUSD vault for calculations while only factoring in sUSD deposits. This design flaw led to a vulnerability known as a “donation attack,” allowing the attackers to artificially influence the vault’s share price.
The attackers exploited this weakness by executing a series of flash loans, borrowing substantial amounts of TUSD and sUSD without any upfront collateral. They initially deposited sUSD to mint Fulcrum sUSD tokens before introducing TUSD into the vault. Since the vault’s share price did not account for sUSD assets, the subsequent rebalancing operation, which withdrew all underlying sUSD, caused a collapse in the vault’s accounting metrics. This artificially induced “price shock” enabled the attackers to mint large quantities of Yearn TUSD tokens at a minimal cost, which they later sold on Curve pools to extract value from liquidity providers before repaying the flash loans.
### A Pattern of Legacy Vulnerabilities
Security experts have pointed out that this exploit resembles a past incident in 2023, where a misconfigured yUSDT contract led to losses exceeding $10 million. That breach was attributed to a copy-and-paste mistake that referenced the incorrect Fulcrum contract, allowing hackers to generate excessive amounts of yUSDT from small initial deposits. Despite warnings from skeptical observers on social media, the immutable characteristics of smart contracts make such vulnerabilities inevitable once they are deployed. The Yearn TUSD vault incident adds to a concerning trend of attacks focusing on outdated, unmaintained DeFi contracts. A similar incident recently affected Ribbon Finance, previously known as Aevo, where an older deployment allowed attackers to exploit proxy admin contracts, resulting in a loss of $2.7 million. Both cases emphasize the ongoing threats posed by legacy protocols that still manage substantial funds on-chain long after they have been rendered obsolete.
### Yearn Finance’s Response
In light of the breach, a member of the Yearn team, operating under the pseudonym storming0x, assured users that the remaining contracts are secure. They clarified that only the outdated V1 TUSD vault was compromised and stressed that newer deployments have integrated lessons learned from previous vulnerabilities. Nonetheless, this incident underscores the critical need for ongoing audits and the timely deprecation of legacy contracts to avert similar exploitations in the future.
