April 13, 2023: Yearn Burned π―ββοΈπ
Original Sin Exploit on Deprecated Contracts Drains $10MM from @iearnfinance
Join us this morning for our daily livestream, starting sometime after 7:00 AM PT, in which Leviathan News chats with Marc Zeller about the Yearn hack, Shapella, and other news.
Weβve had a few hiccups with streaming links as we kick things off, so if the above link fails you can find us by subscribing to @Leviathan_News on YouTube
Yearn Finance Hacked
Sad news out of Yearn Finance, which got hacked for $10MM.
Itβs another gut punch for us: Yearn is a spiritually close relative of Curve, both longstanding warhorses of DeFi with a very good track record of avoiding hacks.
The shenanigans began while we slept, as PeckShield noticed some unusual transactions and alerted both Aave and Yearn.
As information trickled out, it became apparent that the hack did not actually affect Aave. In fact making some Aave users profited off the incident.
It was Yearn Finance which bore the brunt of this hack.
Butβ¦ butβ¦ Yearn has such a sterling reputation for security! Plus Yearn uses Vyper, which also has a heavy emphasis on security β could this be another reputation blemished?
As it turns out, to discover the roots of this problem, you have to go back to ancient times, the primordial soup era of DeFi.
The exploited contract was launched years ago, well before Yearn started using Vyper, affecting only contracts which had long ago been deprecated.
The wildest part of the hack is that the issue is that was effect of original sin: the contracts had actually been broken since deployment over 1000 days ago. The address of a wrapped USDT token was accidentally swapped for a wrapped USDC token. But nobody seemed to noticeβ¦
In other words, the had been publicly broken for 3 years, since the very birth of DeFi, and yet nobody managed to notice. Only several years later, after the contract had been deprecated, did somebody eventually get around to hacking it.
Granted, far fewer people paid attention to DeFi back in that era, but itβs still disconcerting to think what other bugs from the early days may still be lurking around waiting to get exploited.
Granted, even if you noticed the bug, it was not trivial to exploit.
The attacker must have harbored a major grudge against Yearn to dig so deep. Sure enough, the attacked had overinvested in a token suggesting such a vendetta.
For more details of how the hacker accomplished the feat, here are a handful of good threads diving into the gory details.
Although a sad event, the period of mourning has already passed. In true DeFi spirit, the length of time before it becomes appropriate to joke about tragedies remains infinitesimal.
Itβs a sad turn events, particularly as Yearn would surely prefer to focus attention on their proposed yETH.
If youβre an LP, how could you have protected yourself? In this case, pay attention to the protocols you invest in, and make sure to migrate when contracts are deprecated. Itβs not perfect, as this attack could have hit at any point during the contractβs multi-year lifespan, but in this case continuing to sit in a contract that had been deprecated is absolutely unwise.
Odds and Ends
Several interesting developments from around cryptocurrency this weekβ¦
Tether
In the wake of the successful Shapella upgrade, Ethereum is nosing its way back towards $2000. However, compared with the last time the token sat at this market, the broader cryptocurrency ecosystem is radically different.
As it stands, Tether has never been more dominant. The past dayβs trading volume of Tether quite nearly eclipsed its competitor $USDCβs entire market cap.
One reason weβve blasted the US government for its shortsighted broadside against crypto is that it has a history of seeing its efforts backfire. In this case, the governmentβs attempt to claim more control over the stablecoin ecosystem has had the opposite effectβ¦
Had they done nothing, they may well have seen $USDC flippen Tether, effectively giving the government control over the bulk of the stablecoins, given $USDCβs overly-compliatn attitude towards regulators.
Instead, their attacks would only undermine $USDC, giving the relatively less submissive Tether team utter dominance over stablecoins. Tetherβs having a field day minting billions of dollar derivatives onto Tron, and the US has never been weaker to stop it. Heckuva job, Lizzy!
Stargate
If Tether is moving to dominance of stablecoins, is Stargate Finance moving towards dominance of cross-chain transfers? The activity is up-only.
Axelar Network
Llama Risk released their latest report, on another cross-chain protocol which recently deployed several Curve pools: Axelar Network.
The report pointed to some concerns about the upgradability of the protocol, but overall praised their focus on security and audits. Full report, as with all Llama Risk reports, remains a must read!
Archimedes
Last week the Llama Risk team took some time to write a full report of Archimedes. This week Archimedes wrote back.
The protocol continues its successful launch, this week lowering its ARCH emissions to a lower but still appetizing level.
CLever
The CLever team recently polled interest in distributions via its CLIP-02 proposal. The protocol plans to honor the communityβs preference to claim revenues in raw CVX, which is expected to begin in just a few weeks.
Wombat
Wombat is raising eyebrows, launching to great success on Arbitrum.
This thread drew the attention of Curve, which had been quiet of late, breaking silence to contest claims in the thread.
Conic Finance
Conic Finance continues its rapid growth. The protocol has enjoyed a number of great milestones, including the successful launch of its Tether omnipools and squeezing its way towards a big round $100MM TVL.
Yet the most impressive metric may well be the utility of $vlCNC, which last round was able to steer $104 worth of liquidity.
Wen Llama
If youβve been following the Llama NFT, youβll note the premint phase begins today with additional minting periods rolling out over the next week. Probably nothing.
Term Labs
Journeying far enough down the rabbit hole of DeFi and you start following pre-launch development cycles. Is this distinguishable from alfa? Indeed, it may be possible to glimpse into the future for any degen who digs so deep.
At any rate, weβve been keeping an eye on Term Labs, which just wrapped up a very successful test of their protocol.
Do with this information what you will.
