.png){kind=logo}
DeFi platform Yearn Finance is investigating a major exploit in its Yearn Ether (yETH) vault, which pools liquid staking tokens like stETH and rETH. On Nov. 30, an attacker used a chain of smart contracts to mint an almost unlimited amount of yETH.
The attacker then traded those tokens for real assets in linked liquidity pools, rapidly draining the yETH pool of ETH and other LSTs before moving a large share of the funds through Tornado Cash.
Blockchain data indicate that approximately 1,000 ETH, valued at roughly $3 million, was transferred via the privacy mixer Tornado Cash. The yETH pool had approximately $11 million before the attack. Independent researcher Togbe pointed out that the motions resemble a supermint-like feature, where the attacker can gain profit at the expense of the ETH.
Yearn Finance confirmed the exploit through its official V2 and V3 vault X account, which was not affected. The attack specifically targeted the newer yETH product, with the majority of assets in the ecosystem remaining unaffected.
The protocol emphasised that audits of security were being carried out. It is one of the worst events Yearn has experienced since 2021, and analysts note that it highlights the risks associated with advanced yield strategies in low-liquidity markets. Users are advised to exercise caution and maintain an update when using experimental vaults.
Yearn Finance has already engaged high-profile security businesses. In February 2021, the yDAI vault was compromised, costing the protocol an estimated $11 million, and the fraudsters obtained approximately $3 million. In December 2023, a bug script caused the failure of 63% of one of the treasury jobs, although it did not impact user assets.
The DeFi platform launched in 2020 and has continued to expand its yield products, led by Andre Cronje, until his departure in 2022. The yETH exploit highlights the dangers to the safety of the operations and the complexity of newly developed financial products in DeFi.
Also Read: Top 10 DeFi Platforms in the UK
Investigators are analyzing the exploit to determine how it occurred and whether it can be mitigated. According to security experts, the attack is also evidence of a thorough understanding of the Yearn contract system, which can be interpreted as knowledge of the economic design, but not of the common vulnerabilities that exist within it.
The case highlights the persistent risks associated with decentralized finance, particularly in products involving tokenized staking derivatives. Users of Yearn anticipate a full-fledged post-mortem, and the DeFi community questions the security of experimental yield-aggregation procedures.
