Hackers Drain Funds from Defunct DeFi Lending Protocol Yield Protocol
Hackers have successfully exploited the smart contracts of the now-defunct decentralized finance (DeFi) lending protocol Yield Protocol, draining crypto assets amounting to approximately $181,000.
Yield Protocol ceased operations in December 2023, citing challenges with diminishing business demand and mounting global regulatory pressures.
Yield Protocol Exploited Despite Warnings, Hacker Withdraws $181,000
Hi @yield, you may want to a look (w/ $181K) pic.twitter.com/wbzVgrvyyy
— PeckShield Inc. (@peckshield) April 30, 2024
Despite Yield Protocol’s repeated advisories for investors to close their positions, withdraw funds, and settle pending loans following its wind-down, an unidentified hacker exploited weaknesses within the protocol’s strategic contracts deployed on the Arbitrum blockchain. Blockchain investigation firm PeckShield initially disclosed the breach, which CertiK later corroborated.
We have seen an exploit on @yield strategy contracts on Arbitrum for ~$181K.
The attacker exploited a discrepancy between the pool token balance and total supply with flash-loaned assets and then withdrew extra pool tokens.
Stay Vigilant! pic.twitter.com/9cLDWt0e3f
— CertiK Alert (@CertiKAlert) April 30, 2024
According to CertiK’s investigation findings, the hacker exploited a discrepancy between the pool token balance and total supply using flash-loaned assets, allowing them to withdraw additional pool tokens.
🚨ALERT🚨Our system has identified a suspicious transaction linked to @yield. This suspicious address has been flagged since the malicious contract deployment.
The attacker managed to acquire $181K, initially funded by @ChangeNOW_io on #Arbitrum. The funds remain in the… pic.twitter.com/sgYiRCAKJh
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) April 30, 2024
Further insights provided by the web3 cybersecurity alert firm Cyvers Alert revealed that the attacker initially obtained funds amounting to $181,000, which were facilitated by @ChangeNOW_io on the Arbitrum network. These funds remain in the attacker’s possession.
Yield Protocol was among the 11 decentralized finance protocols impacted by the attack on the noncustodial lending platform Euler Finance. Following the March 13 attack, Yield Protocol temporarily halted mainnet borrowing and reported losses from its liquidity pools of less than $1.5 million, whereas Euler Finance suffered losses exceeding $195 million.
However, on May 18, Yield Protocol announced its return to full functionality. Users were informed they could resume borrowing and lending for the June and September series. Additionally, the protocol outlined a timeline, estimating that users would take approximately a week to claim replacement tokens.
Yield Protocol Recovers from Hack, Faces New Challenges; Cryptocurrency Industry Continues to Combat Security Risks
Following Euler’s recovery of most of the lost funds from the hackers in April, Yield Protocol collaborated with Euler on the restitution process. This involved deploying 26 new contracts and executing approximately 300 permissioned calls to reset the fixed-yield token maturities and restore the protocol to its previous state.
To ensure that users are fully compensated for any losses incurred, Yield Protocol initiated a process whereby liquidity provider tokens are swapped for newly minted tokens created during restoration. In a blog post, Yield Protocol expressed gratitude that the hack did not result in losses for the community. Still, it acknowledged the arduous journey to restoring the protocol to full functionality.
However, amid these efforts, Yield Protocol faced another challenge in May when a bug was discovered in its strategy contracts. This necessitated a two-week pause in the protocol’s operations while the issue was addressed and resolved.
However, the Yield Protocol officially terminated its support on February 2, and while the protocol had experienced periods of resurgence in the past, efforts to reclaim the stolen funds appear improbable.
The cryptocurrency industry continues to grapple with security challenges, with the erosion of legitimacy stemming from ongoing hacking incidents and fraudulent activities. In the first quarter of 2024, approximately $336.3 million worth of cryptocurrencies fell victim to hacks and rug pulls across 46 hacking incidents and 15 cases of fraudulent activities, as reported by blockchain security firm Immunefi.
Despite efforts to mitigate losses, only $73.9 million (22%) of the stolen funds from seven exploits in Q1 were successfully recovered. However, there was a slight improvement in the number of attacks, with a decrease of 17.6% compared to Q1 2023, totaling 61 incidents in 2024.
March was particularly challenging, with nearly $100 million in digital assets stolen, according to blockchain security firm PeckShield. Over 30 hacking incidents occurred during this period, resulting in $187 million in lost funds. However, there was a silver lining, with 52.8% of the hacked funds being successfully returned.
