A recent security breach has exposed vulnerabilities in the smart contracts of the now-defunct decentralized finance (DeFi) lending platform, Yield Protocol. The protocol ceased operations in December 2023, attributing its closure to the challenges of sustaining business demand amidst global regulatory pressures. Despite repeated warnings to investors to close their positions and withdraw funds following the shutdown, an unidentified hacker managed to siphon approximately $181,000 worth of crypto assets from Yield’s strategic contracts on the Arbitrum blockchain.
The breach was initially disclosed by blockchain investigation firm PeckShield and subsequently confirmed by CertiK.
Hi @yield, you may want to a look (w/ $181K) pic.twitter.com/wbzVgrvyyy
— PeckShield Inc. (@peckshield) April 30, 2024
CertiK’s investigation revealed that the attacker exploited a discrepancy between the pool token balance and total supply using flash-loaned assets, enabling them to withdraw extra pool tokens.
We have seen an exploit on @yield strategy contracts on Arbitrum for ~$181K.
The attacker exploited a discrepancy between the pool token balance and total supply with flash-loaned assets and then withdrew extra pool tokens.
Stay Vigilant! pic.twitter.com/9cLDWt0e3f
— CertiK Alert (@CertiKAlert) April 30, 2024
Yield Protocol officially ceased support on February 2, and efforts to recover the stolen funds appear futile.
Official support for Yield Protocol has ended. Thank you to everyone who has been a part of this journey with us. We've had a blast and are proud to be a part of the crypto community.
— Yield Protocol (@yield) February 2, 2024
This incident follows a previous attack on Yield Protocol in March 2023, along with 10 other DeFi protocols, during the assault on the noncustodial lending platform Euler Finance. However, by July 2023, Yield Protocol had managed to recover fully from the Euler flash loan attack.
Protocol restoration on Mainnet is complete! We have now fully recovered the protocol from the Euler hack and the liquidity provider bug.
LPs are once again earning fees. To withdraw, LPs need to first upgrade their strategy tokens. View instructions here https://t.co/wVbPXrJKsy
— Yield Protocol (@yield) June 27, 2023
During the recovery process, Yield Protocol collaborated with Euler, deploying 26 new contracts and executing around 300 permissioned calls to reset fixed-yield token maturities and restore the protocol’s functionality.
Despite ongoing security challenges within the DeFi space, there has been a notable decline in losses attributed to hacking and scams in the first quarter of 2024 compared to 2023. According to a report by blockchain security firm Immunefi, losses due to hacking and fraud incidents decreased by 23%, amounting to approximately $336.3 million in Q1 2024, down from $437.5 million in the same period of 2023.