Featured News Headlines
Attack Targets yETH Pool
Yield-farming protocol Yearn Finance has reportedly suffered an exploit that drained millions in liquid staking tokens (LSTs) from its Yearn Ether (yETH) product. The yETH token aggregates popular LSTs into a single asset, offering users exposure to multiple staked Ethereum positions.
Blockchain data suggests the pool was drained via a sophisticated exploit that minted a near-infinite number of yETH tokens, emptying the pool in a single transaction. The attacker reportedly sent 1,000 ETH (approximately $3 million at current prices) to the mixing protocol Tornado Cash. Multiple newly deployed smart contracts appear to have been involved, some of which self-destructed after the transaction.
Before the incident, the yETH pool held roughly $11 million. The full scale of the attack initially remained unclear.
Early Detection and Response
The hack was first noticed by X user Togbe, who told The Block:
“Net transfers suggest yETH super mint let the attacker drain the pool for some gain of 1k ETH. Somehow other ETH was sacrificed in this but they still [made] away with profit.”
Yearn Finance confirmed the incident on X, stating:
“We are investigating an incident involving the yETH LST stableswap pool. Yearn Vaults (both V2 and V3) are not affected.”
Financial Impact and Ongoing Investigation
In a later update, Yearn disclosed the total loss as $9 million, with $8 million from the stableswap pool and $0.9 million from the yETH-WETH stableswap pool on Curve. A full post-mortem investigation is underway in collaboration with SEAL 911 and ChainSecurity. Yearn noted:
“Initial analysis indicated this hack has a similar high complexity level to the recent Balancer hack, so please bear with us as we perform the post-mortem analysis. There is no other Yearn product using similar code to what was impacted.”
Yearn’s Previous Security Incidents
This is not Yearn’s first security challenge. In 2021, the yDAI vault was exploited, losing $11 million in value, with the hacker capturing $2.8 million. In December 2023, a faulty script erased 63% of one treasury position, though no user funds were affected. Founder Andre Cronje left the project in 2022, two years after its 2020 launch.
