Yearn Finance Suspected of Attack, Hacker Sends 1,000 ETH of Stolen Funds to Tornado Cash
BlockBeats News, December 1st, according to The Block, Yearn Finance appears to have been attacked, with its Yearn Ether (yETH) product, which aggregates popular Liquid Staking Tokens (LST), being drained of millions of dollars' worth of LST assets.
Blockchain data shows that the attacker exploited a carefully crafted vulnerability to mint nearly an infinite amount of yETH tokens in a single transaction, completely draining the pool. The attack transaction resulted in 1,000 ETH (valued at approximately $3 million at current prices) being sent to the Tornado Cash privacy protocol. This attack involved multiple newly deployed smart contracts, some of which self-destructed after the transaction. The exact scale of the loss is currently unclear, but prior to the attack, the yETH pool's size was around $11 million.
This hack was first discovered by user X, Togbe, who noticed the attack while monitoring large transfers. "On-net transfer shows an over mint of yETH that allowed the attacker to drain the pool somehow and make a profit of around 1,000 ETH," Togbe stated in the message. "Part of the ETH was sacrificed along the way for reasons unknown, but they still made a profit in the end."
"We are investigating the incident involving the yETH LST StableSwap pool," Yearn stated on X, "Yearn's V2 and V3 Vaults are unaffected."
Yearn Finance previously suffered an attack in 2021, affecting its yDAI insurance vault, resulting in a loss of $11 million, with the hacker ultimately profiting $2.8 million. In December 2023, the protocol saw a 63% loss in one of its vault positions due to a scripting error, but user funds were unaffected. Yearn's founder, Andre Cronje, started the project in 2020 and departed two years later.
You may also like
Semiconductor stocks plummet, yet Anthropic wants to create a 2nm chip
Where is Zhao Changpeng's billion-dollar investment going? YZi Labs' investment landscape fully revealed
Ethereum Foundation Report: A Basic Guide to Ethereum for Governments and Financial Institutions
A pre-announced harvesting case: After the cryptocurrency price dropped by 99%, the public chain Saga exited to transform into AI
When American giants collectively "defect" from Chinese AI models
BIS Report Compliance Observation: The Real Risks of Stablecoins, Not Just "Depegging"
Portugal 2-1 Croatia: Ronaldo's 20-Year Knockout-Stage Drought Ends With a Debt Finally Collected
Portugal beat Croatia 2-1 in the 2026 global football championship's knockout rounds as Ronaldo scored his first-ever knockout-stage goal, Gonçalo Ramos struck a stoppage-time winner, and VAR ruled out a late equalizer for offside.
