Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Yearn Finance is a suite of products to yearn yield on digital assets. This includes staking tokens to earn interest and selling/buying votes. For the yield-bearing assets, users can put positions into Aave, Compound, DYDX and BzX's Fulcrum.

The bad contract was the legacy iEarn USDT token contract. What was wrong with it? There is no inherit security issue with the code; it was a misconfiguration of the pools being used. In particular, the contract used the Fulcrum USDC address instead of the USDT address.

Why is this bad? This leads to manipulation on the pool being possible. From my basic understanding, the attacker needed to hit the code path for this misconfiguration. This was done by rebalancing the protocol to use Fulcrum instead of AAVE and Compound. To make the hack as financially profitable as possible, they forced all of the funds to be sent back to the contract instead of be in the pools.

Finally, to exploit the misconfiguration, they sent a single USDT token to the pool. Since it didn't have any USDT, the USDT amount (which was really USDC amount) was divided by the real amount of yUSDT, which is 1 from our donation. This leads to 1.2 quadrillion of yUSDT being minted when it shouldn't have been. Yikes!

The attacker trades these funds to other locations in the Yearn Finance ecosystem in order to profit heavily from the issue. This dumb copy-and-paste issue had a complex manipulation occur in order to exploit this, which is pretty wild. Overall, good read but hard to follow without understanding the codebase.