Yearn Finance, one of the leading decentralised finance (DeFi) protocols, has suffered a significant setback as its legacy TUSD vault fell victim to a sophisticated exploit.
According to security firm PeckShield, attackers managed to extract approximately $300,000, converting the stolen assets into 103 Ether now held at the address 0x0F21…4066.
#PeckShieldAlert YearnFinanceV1 @yearnfi has suffered an exploit, resulting in a total loss of ~$300K.
The exploiter has swapped the stolen funds for 103 $ETH, which now sit in the address: 0x0F21…4066.
Notably, the incident has reignited concerns about the vulnerabilities of outdated and immutable smart contracts that remain active on Ethereum years after their deployment.
Misconfigured TUSD vault
According to analysis by William Li, the breach targeted a legacy Yearn TUSD vault, known as the “iearn TUSD vault,” which had long been superseded by newer iterations.
Researchers identified a misconfiguration in the vault’s strategy setup, which used a Fulcrum sUSD vault for calculations while considering only sUSD balances deposited into the vault.
This flawed design created a pathway for a so-called “donation attack,” allowing the perpetrators to artificially manipulate the vault’s share price.
The attackers leveraged this weakness with a series of flash loans, borrowing significant amounts of TUSD and sUSD without any upfront collateral.
They deposited sUSD to mint Fulcrum sUSD tokens before placing TUSD into the vault.
Because the vault’s share price ignored sUSD assets, the subsequent rebalance function, which withdrew all underlying sUSD, caused the vault’s accounting metrics to collapse.
This artificial “price shock” allowed the attackers to mint vast quantities of Yearn TUSD tokens at minimal cost and ultimately sell them on Curve pools, extracting value from liquidity providers before repaying the flash loans.
A pattern of legacy vulnerabilities
Security analysts have noted that this exploit mirrors a similar attack in 2023, when a misconfigured yUSDT contract resulted in losses exceeding $10 million.
That incident stemmed from a copy-and-paste error referencing the wrong Fulcrum contract, allowing hackers to mint unprecedented amounts of yUSDT from small initial deposits.
Despite warnings from pessimistic observers on social media, the immutable nature of smart contracts rendered such vulnerabilities unavoidable once deployed.
The Yearn TUSD vault exploit adds to a growing list of attacks targeting old, unmaintained DeFi contracts.
A comparable incident recently hit Ribbon Finance, formerly known as Aevo, where an outdated deployment allowed attackers to manipulate proxy admin contracts and drain $2.7 million.
Both events highlight the ongoing risks associated with legacy protocols that continue to hold significant funds on-chain long after they have been deprecated.
Yearn Finance’s response
In response to the incident, a Yearn team member under the handle storming0x confirmed that the current contracts remain secure.
The team reassured users that only the outdated V1 TUSD vault was affected and emphasised that newer deployments incorporate lessons learned from past vulnerabilities.
Nevertheless, the attack underscores the importance of actively auditing and deprecating legacy contracts to prevent the exploitation of similar flaws in the future.
The post Yearn Finance losses $300K in a TUSD vault exploit appeared first on Invezz