Vulnerability Report: Subdomain Takeover
Subdomain: ybribe.yearn.fi
Severity: Medium / High
Type: Subdomain Takeover via orphaned Vercel deployment
Date Discovered: 2026-06-10
Summary
The subdomain ybribe.yearn.fi has an orphaned DNS CNAME record pointing to Vercel (cname.vercel-dns.com), but the associated Vercel project has been deleted. This allows any attacker to claim the subdomain by creating a new Vercel project with matching configuration.
Evidence
$ dig +short CNAME ybribe.yearn.fi
cname.vercel-dns.com.
$ curl -sI https://ybribe.yearn.fi
HTTP/2 404
server: Vercel
x-vercel-error: DEPLOYMENT_NOT_FOUND
x-vercel-id: fra1::knm6j-1781085413562-02cd9635a3c0
Impact
An attacker can:
- Create a Vercel project and claim the
ybribe.yearn.fi hostname
- Serve arbitrary content — including a phishing page mimicking the legitimate yBribe interface
- Steal user credentials, private keys, or seed phrases from users who trust
*.yearn.fi domains
- The valid TLS certificate (Let's Encrypt, expires 2026-06-28) already exists for this domain, lending credibility
Steps to Reproduce
- Run:
curl -sI https://ybribe.yearn.fi
- Observe
x-vercel-error: DEPLOYMENT_NOT_FOUND in response headers
- Any Vercel user can add
ybribe.yearn.fi as a custom domain to a new project
Remediation
Immediate action required: Remove the CNAME record for ybribe.yearn.fi from your DNS configuration, or point it to a controlled deployment.
Disclosure: Submitted here because Immunefi submission requires identity verification currently unavailable. This is a responsible disclosure with no exploitation performed. Requesting payment to ETH: 0xD0BcC1A55FfDecccDbb07972b3FD9491E9BDB737 or USDT TRC20: TH6AafbHHJx7CFy23VYi6VX7xgMoi46RFx if eligible for bounty.
Vulnerability Report: Subdomain Takeover
Subdomain:
ybribe.yearn.fiSeverity: Medium / High
Type: Subdomain Takeover via orphaned Vercel deployment
Date Discovered: 2026-06-10
Summary
The subdomain
ybribe.yearn.fihas an orphaned DNS CNAME record pointing to Vercel (cname.vercel-dns.com), but the associated Vercel project has been deleted. This allows any attacker to claim the subdomain by creating a new Vercel project with matching configuration.Evidence
Impact
An attacker can:
ybribe.yearn.fihostname*.yearn.fidomainsSteps to Reproduce
curl -sI https://ybribe.yearn.fix-vercel-error: DEPLOYMENT_NOT_FOUNDin response headersybribe.yearn.fias a custom domain to a new projectRemediation
Immediate action required: Remove the CNAME record for
ybribe.yearn.fifrom your DNS configuration, or point it to a controlled deployment.Disclosure: Submitted here because Immunefi submission requires identity verification currently unavailable. This is a responsible disclosure with no exploitation performed. Requesting payment to ETH:
0xD0BcC1A55FfDecccDbb07972b3FD9491E9BDB737or USDT TRC20:TH6AafbHHJx7CFy23VYi6VX7xgMoi46RFxif eligible for bounty.