Yearn Finance Suffers $9 Million Exploit

Yearn Finance, the veteran yield-aggregation protocol, has suffered another attack that drained millions from yETH, a Yearn token that bundles several types of staked Ethereum into a single asset.

In a thread on X, the Yearn Finance team confirmed that on Sunday, an incident occurred involving the yETH stableswap pool that resulted in the minting of a “large amount of yETH.”

In a post-mortem report on Monday morning, the team wrote that the incident is the result of the intersection of a “low-level numerical bug” and a “high-level invariant-management issue.”

The hacker initially managed to steal about $9 million from the main yETH stableswap pool and a smaller yETH‑WETH pool on Curve.

However, a few hours after the attack, the Yearn Finance team wrote in an X post that, with assistance from the Plume and Dinero teams, it coordinated the recovery of 857.49 pxETH, worth around $2.4 million at market prices.

“Initial analysis indicated this hack has a similar high complexity level to the recent Balancer hack, so please bear with us as we perform the post-mortem analysis. There is no other Yearn product using similar code to what was impacted,” the team said.

Blockscout, a blockchain explorer, revealed in an X thread on Dec. 1 that the exploit occurred in a single transaction that minted “infinite yETH,” swapped those tokens for real ETH and liquid staking tokens, and then moved at least 1,000 ETH into Tornado Cash.

Self-Destructing Contracts

Blockscout’s analysis shows the attacker used the infamous “helper contracts,” short-lived smart contracts that performed the key steps of the exploit. For instance, they performed the mint and drain functions, forwarded the stolen assets, and then deleted themselves.

“Self-destruct removes bytecode, making the contract unreadable afterward, but creation transactions and logs are preserved,” Blockscout said.

Yearn Finance emphasized that the issue was isolated to custom code used only by yETH. According to the protocol’s official website, over $570 million is deposited in Yearn Vaults as of press time.

This is the third direct hack of a Yearn product since 2021. Previous issues included a 2021 breach of the yDAI vault and an attack on an older yUSDT contract in 2023.