Yearn Finance, a prominent player in the decentralized finance (DeFi) sector, has encountered a severe security breach that has led to a staggering loss of nearly $9 million. The exploit targeted a stable-swap pool associated with Yearn”s yETH token, enabling the attacker to mint an almost infinite supply of tokens and subsequently drain the liquidity pool in a single transaction.
The incident occurred on November 30 at approximately 21:11 UTC. According to reports from Yearn Finance, the vulnerability was linked to a custom contract that diverged from the design of the platform”s primary products. This flaw allowed the hacker to create a massive amount of fake yETH tokens, far exceeding the intended limits. By leveraging these counterfeit tokens, the attacker siphoned off real ETH and liquid staking assets from the pool.
In total, the breach resulted in the extraction of around $8 million from the main stableswap pool and an additional $0.9 million from the yETH-WETH pool on Curve. The total damage is assessed at nearly $9 million, raising significant concerns within the community regarding the security protocols employed by DeFi platforms.
Following the hack, blockchain security firm PeckShieldAlert reported that the exploiter quickly transferred approximately 1,000 ETH, equivalent to about $3 million, into Tornado Cash, a service commonly used to obfuscate transaction histories. The remaining assets, valued at roughly $6 million, are still held in the hacker”s wallet, which includes a variety of staked Ethereum derivatives such as pxETH, frxETH, cbETH, Lido stETH, and Rocket Pool rETH.
The Yearn Finance team has acted swiftly to address the situation, confirming that the exploit was confined to the legacy yETH product. They reassured users that active vaults and their respective funds remain secure. Currently, the team is collaborating with security experts and auditors to thoroughly investigate the exploit, although no recovery plan has been disclosed at this time.
In the aftermath of the breach, the market reaction impacted Yearn”s governance token (YFI), which experienced a decline of approximately 4.4%, trading around $3,956. This incident highlights the ongoing vulnerabilities that DeFi projects face and underscores the imperative for robust security measures in the rapidly evolving crypto landscape.
