Yearn Finance Suspected to Have Been Hacked, Hacker Sends 1,000 ETH of Stolen Funds to Tornado Cash

BlockBeats News, December 1st, according to The Block, Yearn Finance appears to have been attacked, with its Yearn Ether (yETH) product, which aggregates popular LST (Liquidity Staking Token), being drained of millions of dollars worth of LST assets.

Blockchain data shows that the attacker exploited a carefully crafted vulnerability to mint nearly an infinite amount of yETH tokens in a single transaction, effectively draining the pool. The attack transaction resulted in 1,000 ETH (approximately $3 million at current prices) being sent to the privacy protocol Tornado Cash. This attack involved multiple newly deployed smart contracts, some of which self-destructed after the transactions. The exact scale of the losses is currently unclear, but before the attack, the yETH pool held around $11 million.

This hack was initially discovered by user Togbe, who noticed the attack while monitoring large transfers. "A net transfer showing the over-minting of yETH allowed the attacker to drain the pool in some way and make about 1000 ETH in profit," Togbe stated in the message. "For some reason, some ETH was sacrificed along the way, but they still ended up profiting."

"We are investigating the incident involving the yETH LST Stable Swap Pool," Yearn stated on X, "Yearn's V2 and V3 Vaults are unaffected."

Yearn Finance had previously suffered an attack in 2021 that affected its yDAI insurance vault, resulting in a $11 million loss, with the hacker ultimately profiting $2.8 million. In December 2023, the protocol lost 63% of one of its treasury positions due to a scripting error, but user funds were unaffected. Yearn's founder, Andre Cronje, established the project in 2020 and departed two years later.