Hackers have managed to exploit vulnerabilities within the smart contracts of the defunct decentralized finance (DeFi) lending platform, Yield Protocol, resulting in the depletion of crypto assets totaling around $181,000.
Yield Protocol’s demise occurred in December 2023, as the platform grappled with a myriad of issues, including waning business demand and escalating regulatory scrutiny on a global scale. These challenges ultimately rendered the protocol unsustainable, prompting its cessation of operations.
Despite warnings, the Yield Protocol fell victim to exploitation, leading to the withdrawal of $181,000 by a hacker.
Hi @yield, you may want to a look (w/ $181K) pic.twitter.com/wbzVgrvyyy
— PeckShield Inc. (@peckshield) April 30, 2024
Despite the Yield Protocol’s persistent warnings urging investors to take action by closing their positions, withdrawing funds, and settling pending loans in light of the platform’s planned wind-down, an unknown hacker managed to exploit vulnerabilities within the protocol’s smart contracts deployed on the Arbitrum blockchain. This breach, initially disclosed by the blockchain investigation firm PeckShield, was later validated by CertiK.
The protocol’s proactive advisories aimed to mitigate potential risks and safeguard users’ assets amid the winding-down process. However, despite these cautionary measures, the hacker successfully identified and exploited weaknesses within the protocol’s strategic contracts, resulting in the unauthorized withdrawal of approximately $181,000 worth of crypto assets. This incident highlights the persistent challenges faced by decentralized finance (DeFi) platforms in maintaining the security and integrity of their smart contracts, as well as the importance of robust security measures and vigilant oversight in the rapidly evolving landscape of blockchain-based financial services.
#CertiKInsight 🚨
We have seen an exploit on @yield strategy contracts on Arbitrum for ~$181K.
The attacker exploited a discrepancy between the pool token balance and total supply with flash-loaned assets and then withdrew extra pool tokens.
Stay Vigilant! pic.twitter.com/9cLDWt0e3f
— CertiK Alert (@CertiKAlert) April 30, 2024
Based on CertiK’s investigation, the hacker leveraged a disparity between the pool token balance and the total supply by utilizing flash-loaned assets, enabling them to withdraw surplus pool tokens.
🚨ALERT🚨Our system has identified a suspicious transaction linked to @yield. This suspicious address has been flagged since the malicious contract deployment.
The attacker managed to acquire $181K, initially funded by @ChangeNOW_io on #Arbitrum. The funds remain in the… pic.twitter.com/sgYiRCAKJh
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) April 30, 2024
Additional insights from the web3 cybersecurity alert firm Cyvers Alert indicate that the assailant initially acquired funds totaling $181,000, facilitated by @ChangeNOW_io on the Arbitrum network. These funds remain under the control of the attacker.
Yield Protocol found itself among the 11 decentralized finance protocols affected by the breach targeting the noncustodial lending platform Euler Finance. Following the assault on March 13, Yield Protocol temporarily suspended mainnet borrowing and disclosed losses from its liquidity pools amounting to less than $1.5 million, contrasting with Euler Finance’s losses exceeding $195 million.
Nonetheless, on May 18, Yield Protocol declared its resumption of full functionality. Users received notification that they could recommence borrowing and lending for the June and September series. Furthermore, the protocol outlined a timeline, estimating that users would require approximately one week to claim replacement tokens.
Yield Protocol bounces back from the hack but faces new challenges in the ongoing battle against security threats in the cryptocurrency sector.
Following Euler’s retrieval of most of the pilfered funds from hackers in April, Yield Protocol embarked on a collaborative effort with Euler to facilitate the restitution process. This endeavor entailed the deployment of 26 new contracts and the execution of approximately 300 permissioned calls to reset the maturities of fixed-yield tokens and restore the protocol to its former state.
In a bid to ensure comprehensive compensation for any incurred losses, Yield Protocol initiated a mechanism whereby liquidity provider tokens are exchanged for freshly minted tokens generated during the restoration process. While expressing gratitude in a blog post that the hack did not culminate in community losses, Yield Protocol acknowledged the strenuous journey involved in restoring the protocol to full operational capacity.
However, amidst these restorative endeavors, Yield Protocol encountered another hurdle in May when a bug was unearthed in its strategy contracts. Consequently, a two-week hiatus in the protocol’s operations ensued as efforts were directed towards addressing and rectifying the issue.
Nevertheless, on February 2, Yield Protocol officially terminated its support, and despite intermittent resurgences in the past, prospects of reclaiming the pilfered funds appear bleak.
Meanwhile, the cryptocurrency industry grapples with persistent security challenges, perpetuated by a series of hacking incidents and fraudulent activities that undermine its credibility. According to blockchain security firm Immunefi, the first quarter of 2024 witnessed approximately $336.3 million worth of cryptocurrencies succumbing to hacks and rug pulls across 46 hacking incidents and 15 cases of fraudulent activities.
Efforts to recoup losses have yielded modest success, with only $73.9 million (22%) of stolen funds from seven exploits in Q1 successfully recovered. However, there has been a slight decline in the number of attacks, down by 17.6% compared to Q1 2023, totaling 61 incidents in 2024.
March proved particularly challenging, with nearly $100 million in digital assets pilfered, as reported by blockchain security firm PeckShield. Over 30 hacking incidents transpired during this period, resulting in $187 million in lost funds. Nonetheless, there was a glimmer of hope, with 52.8% of the purloined funds successfully retrieved.
READ MORE ABOUT: AEVO and Pandora announce the unveiling of Farm Boost, aimed at enhancing DeFi yield farming
