Critical Vulnerability Exposes New DeFi Protocol to Complete Fund Drain

The Exploit Mechanics

On January 1, 2021, blockchain developer Nour Haridy discovered a critical vulnerability in the yCredit DeFi protocol, a project launched by André Cronje, creator of yEarn.Finance. The exploit allows an economic attack that can drain all user funds from the smart contract. Haridy described the vulnerability as capable of causing “loss of all user funds” and immediately warned users who had deposited into the contract using Etherscan or bought yCredit on Sushiswap to withdraw or sell their positions immediately.

Affected Systems

The yCredit platform, which had been unveiled just days earlier on December 31, 2021, allows users to deposit ERC-20 tokens and borrow yCredit coins equivalent to 99.5% of the deposited amount. With Bitcoin trading at $29,374.15 and Ethereum at $730.37 on January 1, 2021, the potential value at risk was substantial. The vulnerability specifically targets the economic mechanisms within the smart contract rather than traditional code exploits, making it particularly dangerous as it could be executed by anyone who understands the financial incentives.

The Mitigation Strategy

Haridy’s warning was straightforward and urgent: “I’ll publish the exploit after all funds are withdrawn.” The discovery was shared with developer Ivan Martinez, who confirmed the exploit’s functionality. Martinez also noted that someone had already exploited a different attack vector against yCredit, suggesting multiple vulnerabilities in the system. The protocol was in an “experimental stage” according to Cronje, but users were participating with real funds worth millions of dollars at current market prices.

Lessons Learned

This incident highlights several critical lessons for the DeFi space in early 2021. First, even established developers like André Cronje can deploy experimental code with significant flaws. Second, the pressure to innovate quickly in DeFi often leads to insufficient testing and auditing. Third, users must remain vigilant and understand that experimental protocols carry inherent risks, even when created by reputable developers. The total cryptocurrency market cap was approximately $546 billion for Bitcoin and $83 billion for Ethereum alone on this date, making the stakes exceptionally high.

User Action Required

Users who had interacted with yCredit were advised to immediately withdraw their funds or sell their yCredit tokens on secondary markets. The vulnerability represented a systemic risk that could be exploited at any time. Haridy’s decision to publish the full exploit details only after all funds were withdrawn was an ethical compromise aimed at protecting users while maintaining transparency about the protocol’s weaknesses. This incident served as an early warning about the dangers of economic attacks in DeFi protocols, a threat vector that would become increasingly prominent throughout 2021.

Despite the warnings, the yCredit project continued as an experimental protocol, underscoring the Wild West nature of early DeFi development where user funds were often treated as playtest capital rather than protected assets.