Yearn Finance (iearn yUSDT): Misconfiguration (copy/paste error) in yUSDT — wrong Fulcrum USDC address used instead of USDT → share price manipulation → 1.2 quadrillion yUSDT minted

Summary #

Yearn Finance (iearn yUSDT) suffered a Yield Aggregator / Vault (legacy iearn contract) on 2023-04-13, resulting in a loss of approximately $10M.

What happened #

Yearn's legacy yUSDT contract — live for 1,156 days with a copy/paste error using the wrong Fulcrum address since deployment — was exploited for $11.4M; a last-minute Twitter warning was useless because the contract is immutable.

Linked factors #

• RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: No — yUSDT was not audited] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: No — yUSDT was not audited]
• RD-F-002 — related : Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~3 years (Feb 2020 audit; April 2023 exploit)]
• RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (yUSDT specifically) — copy/paste error at deployment]
• RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Yearn has a bug bounty; immutable contract meant no patch was possible even with disclosure]
• RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: yUSDT deployed ~2020; exploited after 1,156 days = ~3.2 years]
• RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Last-minute warning posted on Twitter (by storming0x); Tornado Cash funding of attacker]