TechFlow News: On April 29, on-chain analyst PeckShield (@PeckShieldAlert) reported that a user’s Alchemix Yearn yvVault position (token $yvWETH) was compromised, resulting in an estimated loss of approximately $1 million.
The root cause of the attack traces back to the user previously granting token approval to an unverified contract (contract address: 0x143a), which was deployed ten days ago. Reverse-engineering analysis revealed a vulnerability in this contract enabling arbitrary call execution. Leveraging this vulnerability, the attacker successfully transferred the victim’s yvVault position.
PeckShield has now publicly disclosed the specific logic underlying this vulnerability. Users are advised to review and revoke token approvals granted to unknown or unverified contracts to mitigate asset risks.
