Yearn Finance’s yETH Hit With $9M Exploit, Hacker Drains Entire Pool
Decentralized finance (DeFi) platform Yearn Finance’s yETH product was hit with a multi-million exploit after an attacker drained the token’s entire pool in a single transaction.
Yearn confirmed the incident on X, while reassuring users that its V2 and V3 Vaults remained secure and were unaffected.
“Initial analysis indicated this hack has a similar high complexity level to the recent Balancer hack, so please bear with us as we perform the post-mortem analysis,” Yearn said in a follow-up X post. “There is no other Yearn product using similar code to what was impacted.”
Hacker Generated Substantial Amounts Of yETH Tokens
The incident was first flagged by the X user Togbe, who highlighted “heavy transactions” on Liquid Staking Derivatives (LSTs) including yearn, rocket pool, origin and dinero.
The incident reportedly involved multiple newly deployed smart contracts, which had self-destructed after the transaction in an effort to hide the exploit’s logic.
An analysis of on-chain data from Ethereum blockchain explorer Etherscan shows that the exploit generated near-infinite amounts of yETH, resulting in millions being drained from the token’s Balancer pools.
Initial reports said that the attackers walked away with roughly 1,000 ETH valued at around $3 million at current prices. These tokens were routed to the transaction mixer Tornado Cash.
In a more recent announcement, Yearn Finance said that it has lost an overall $9 million from the attack. Of this amount, $8 million was drained from the stableswap pool and $0.9 million was stolen from the yETH-WETH stableswap pool on Curve.
Prior to the incident, the yETH pool had a total value of around $11 million, data from Dexscreener shows.
yETH pool details (Source: Dexscreener)
As of 6:29 a.m. EST, the pool’s liquidity stands at approximately $901K.
Earlier today, the DeFi protocol said on X that yETH holders can withdraw their positions back to ETH, and included a link to the withdrawals platform. But when opened, the link shows a suspension message.
Despite that, several users commented under the post that they had successfully withdrawn their yETH back into ETH.
Not The First Incident For Yearn Finance
The $9 million theft is the latest incident that Yearn Finance has suffered over the years.
In 2021, the DeFi platform lost $11 million when attackers exploited its yDAI vault, the hacker walking away with $2.8 million.
Then, in December 2023, the protocol said that a faulty script had wiped out 63% of one of its treasury positions. However, no user funds were affected with this incident.
Andre Cronje, who founded Yearn in 2020, departed the project two years later.
Crypto Lost $127 Million To Hacks And Scams Last Month
Blockchain security firm Certik said yesterday that the crypto industry lost $127 million to hacks and exploits last month alone.
Balancer suffered the biggest of over $116 million in a sophisticated cross-chain exploit that affected multiple blockchains.
Approximately $135 million was lost in DeFi incidents, while another $29.8 million was stolen through exchange hacks, Certik said.
Related Articles:
About Author
About Author
