Key Takeaways
- A Yearn Finance exploit targeted the yETH liquid staking token (LST) stableswap pool through an infinite mint vulnerability.
- The attacker drained approximately $3 million from Balancer liquidity pools using artificially created yETH.
- Yearn confirms its core V2 and V3 vaults remain unaffected, with the incident isolated to the legacy yETH product.
Table of Contents
Description of the yETH Attack
On November 30th, another decentralized finance (DeFi) protocol suffered a significant attack. The Yearn Finance exploit involved its yETH liquid staking token. The attackers discovered a vulnerability in the contract that allowed them to create 235 trillion yETH tokens through a single transaction.
This massive, artificially created supply was then used to drain legitimate crypto (Ethereum) from Balancer’s liquid pools (commonly referred to as an infinite mint attack), as determined by investigators.
In this Year Finance exploit, the attackers stole 1,000 ETH, which they subsequently mixed through Tornado Cash, a service that provides enhanced privacy features for coins, while the remaining $6M is in possession of the attacker’s wallet (0xa80d…c822).
Read also: Balancer to Repay Liquidity Providers with $8M in Recovered Exploit Funds
Contained Damage and Market Paradox
Despite the severity of this Yearn Finance exploit, the damage appears to be contained to specific Balancer pools. Yearn quickly clarified that its core V2 and V3 vaults, along with its curated Morpho vaults, remained completely unaffected.
Despite the severity of this Yearn Finance exploit, the team has released statements indicating that the damage appears contained, only a few of its Balancer liquidity pools were impacted by the attack, and that neither their Core Vaults (V2/V3) nor their Curated Vaults (Morpho) sustained any losses due to the incident.
In a surprising market reaction, Yearn’s governance token, $YFI, actually spiked in price shortly after the news of the hack broke. This could potentially happen due to short sellers covering their positions when they realized the Yearn Finance exploit was limited in scope rather than a systemic failure of the entire protocol.
A couple of hours later, the $YFI token’s price began dropping again, reaching around 2.92%, and was trading at $4.003 at the time of writing.
Read also: CoinList Embraces True DeFi, Goes Fully Non-Custodial in Major Pivot
A Persistent Challenge for DeFi
This Yearn Finance exploit represents yet another security issue in a long history of such occurrences with the protocol; the last example was the yDAI incident in 2021, where $11 million was lost due to a lack of security on Yearn’s part.
Also, this incident highlights that complex DeFi protocols are susceptible to vulnerabilities caused by pooled liquidity and tokenized derivatives being utilized together, as seen in this case.
As investigations proceed, speculation persists within the DeFi community concerning whether or not Yearn will take action to try and recover lost funds, and also whether or not they will make any changes to their protocol or practices designed to mitigate the potential for similar exploits occurring again in the future.
FAQs
What exactly was exploited in this Yearn Finance’s attack?
The attacker exploited a vulnerability in the yETH token contract itself, enabling them to mint a virtually unlimited number of yETH tokens, which were then used to drain real assets from Balancer liquidity pools.
Were Yearn’s main vaults affected?
No, Yearn has confirmed that its core V2 and V3 vaults were not compromised in this incident. The exploit was isolated to the specific yETH product and associated Balancer pools.
Has the stolen money been recovered?
The attacker successfully moved approximately 1,000 ETH (worth around $3 million) through Tornado Cash, making recovery extremely unlikely given the privacy-enhancing nature of the mixer.
For more DeFi-related stories, read: Agentic Fund of Funds Launches: AI Agents Now Manage DeFi Strategies with 21% APY Average
