Yearn Finance (legacy iearn TUSD V1 vault — deployed 2020): Flash loan → misconfigured vault (TUSD vault tracking iSUSD/sUSD strategy) → share accounting inflation → Curve yPool drain

A 2,100-day-old Yearn vault with a misconfigured strategy pointing to the wrong asset was drained for $293K — the same bug that cost $10M in April 2023, now copy-pasted from the archives.

Occurred 2023-12-16 Loss $293K Status closed

Summary #

Yearn Finance (legacy iearn TUSD V1 vault — deployed 2020) suffered a Yield Aggregator / Vault (legacy V1) on 2023-12-16, resulting in a loss of approximately $293K.

What happened #

A 2,100-day-old Yearn vault with a misconfigured strategy pointing to the wrong asset was drained for $293K — the same bug that cost $10M in April 2023, now copy-pasted from the archives.

Linked factors #

RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited at time of exploit; legacy configuration error never caught]
RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: ~2,100 days (~5.75 years) at time of exploit]
RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — 30M USDC Morpho flash loan is a strong signal on a legacy vault with minimal TVL]