Aave and Yearn Finance, two of Ethereum’s most popular decentralized finance (DeFi) protocols, have fallen victim to an exploit, according to blockchain security firm PeckShield.

The attack appears to have used a flash loan on Yearn Finance and focused on Aave V1. The damage caused is estimated to exceed $11 million.

LookOnChain reported that the attacker received a mix of stablecoins from both platforms, including DAI, USDC, BUSD, TUSD, and USDT. However, Aave V2 and V3 are not believed to have been impacted.

Head of Aave integration, Marc Zeller, explained that Aave V1 has been frozen since December 2022, making the chances of an issue unlikely but not impossible.

Users can still withdraw their funds from V1 through the traditional app, with the current size of V1 standing at $18 million. Zeller also confirmed that there is currently no known impact on Aave V2 and V3.

Crypto researcher Samczsun of Paradigm suggested that the version of USDT developed by Yearn Finance, yUSDT, has been broken since its launch around three years ago. He said it was misconfigured to use the Fulcrum iUSDC token instead of the Fulcrum iUSDT token.

At the time of writing, the ETH price was holding steady at $1,990 despite fears of a dump due to the Shanghai hard fork.