{"id":34313,"date":"2021-01-02T18:08:02","date_gmt":"2021-01-02T16:08:02","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=34313"},"modified":"2025-08-28T19:50:08","modified_gmt":"2025-08-28T16:50:08","slug":"critical-vulnerability-found-in-new-defi-protocol-from-yearn-finance-founder","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/critical-vulnerability-found-in-new-defi-protocol-from-yearn-finance-founder\/","title":{"rendered":"Critical vulnerability found in new DeFi protocol from yEarn.Finance founder"},"content":{"rendered":"<p>An exploit detected in the smart contract of the DeFi project yCredit, launched yesterday, allows draining all user funds, according to blockchain developer Nour Haridy.<!--more--><\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p dir=\"ltr\" lang=\"en\">IMPORTANT<\/p>\n<p>The yCredit contract is vulnerable to an economic attack that can cause loss of all user funds.<\/p>\n<p>If you deposited into the contract using Etherscan or bought yCredit on Sushiswap, withdraw or sell it immediately.<\/p>\n<p>I\u2019ll publish the exploit after all funds are withdrawn.<\/p>\n<p>\u2014 nour (@NourHaridy) <a href=\"https:\/\/twitter.com\/NourHaridy\/status\/1345042427141304326?ref_src=twsrc%5Etfw\">January 1, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The creator of yEarn.Finance, Andr\u00e9 Cronje <a href=\"https:\/\/u1f987.com\/en\/news\/andre-cronje-founder-of-yearn-finance-unveils-new-defi-project-ycredit\">unveiled a new project<\/a> on December 31. The yCredit platform allows depositing ERC-20 tokens and borrowing yCredit coins equalling 99.5% of the deposited amount.<\/p>\n<p>Haridy described the project as &quot;super-ambitious&quot; and &quot;pushing the boundaries of capital efficiency.&quot; However, he urged users to withdraw all funds, warning that it is only a matter of time before someone exploits the vulnerability he uncovered.<\/p>\n<p>Developer Ivan Martinez, with whom Haridy shared the discovery, confirmed that the exploit works. Martinez said someone has already exploited a different attack vector against yCredit.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p dir=\"ltr\" lang=\"en\">Someone used a different attack vector on yCredit than what <a href=\"https:\/\/twitter.com\/NourHaridy?ref_src=twsrc%5Etfw\">@NourHaridy<\/a> discovered. <a href=\"https:\/\/t.co\/cer3GtUzHp\">https:\/\/t.co\/cer3GtUzHp<\/a><\/p>\n<p>Makes you think, would an audit capture these? What if Andre puts just enough of his own funds to make exploiting attractive? Maybe its even cheaper\/faster vs. an audit \ud83e\udd14<\/p>\n<p>\u2014 Ivan Martinez (@0xKiwi_) <a href=\"https:\/\/twitter.com\/0xKiwi_\/status\/1345281360878039040?ref_src=twsrc%5Etfw\">January 2, 2021<\/a><\/p>\n<\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Presenting the project, Cronje noted that the yCredit protocol is in an experimental stage and users participate at their own risk.<\/p>\n<p>Earlier in September, an unknown <a href=\"https:\/\/u1f987.com\/en\/news\/hacker-siphons-15-million-from-unfinished-defi-project-eminence\">withdrew user assets<\/a> worth about $15 million from Andr\u00e9 Cronje&#8217;s Eminence, a DeFi project built for testing.<\/p>\n<p>Subscribe to ForkLog news on Telegram: <a href=\"https:\/\/t.me\/forklogfeed\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ForkLog Feed<\/a> \u2014 full news coverage, <a href=\"https:\/\/telegram.me\/forklog\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ForkLog<\/a> \u2014 the most important news and polls.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>An exploit detected in the smart contract of the DeFi project yCredit, launched yesterday, allows draining all user funds, according to blockchain developer Nour Haridy.<\/p>\n","protected":false},"author":1,"featured_media":34314,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1093],"class_list":["post-34313","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-defi"],"aioseo_notices":[],"amp_enabled":true,"views":"31","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/34313","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=34313"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/34313\/revisions"}],"predecessor-version":[{"id":34315,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/34313\/revisions\/34315"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/34314"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=34313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=34313"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=34313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}