Same-root-cause repeat exploit
Yearn Finance's assessment for RD-F-079 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Incidents #2 (2023-04-13, yUSDT) and #4 (2023-12-16, iearn TUSD) share identical root cause: legacy immutable iearn contract configured with wrong Fulcrum address since deployment day, never corrected, user funds never migrated. Hacksdatabase yearn-rekt4.md explicitly describes incident #4 as 'a virtual carbon copy of the April 2023 iearn USDT vault bug' with the same configuration error pattern. Two events with identical root-cause cluster = red. Incidents #1 (migration window) and #3 (Newton-Raphson underflow) have distinct root causes.
Sources #
- URLrekt.news — Yearn Finance 4th exploit (2023-12-16)rekt.news yearn-rekt4 — corroborates identical root cause pattern between 2023-04 and 2023-12 incidentsretrieved 2026-05-16
- Yearn Finance 2nd Exploit — wrong Fulcrum address root causehacksdatabase/hacks/yearn2-rekt.md — 2023-04-13 yUSDT Fulcrum-USDC address misconfiguration root causeretrieved 2026-05-16
- Yearn Finance 4th Exploit — identical Fulcrum misconfiguration root causehacksdatabase/hacks/yearn-rekt4.md — 2023-12-16 TUSD vault identical Fulcrum misconfiguration; 'virtual carbon copy' characterizationretrieved 2026-05-16
Methodology #
Determine whether the protocol has been exploited ≥2 times via the same root-cause cluster.
See the full factor methodology and distribution across all protocols →