One of the longest-standing protocols in decentralized finance (DeFi), Yearn Finance, is currently under scrutiny following a significant exploit involving its legacy yETH token contract. An attacker successfully exploited vulnerabilities within this older contract, minting a staggering 235 trillion fake tokens and draining approximately $9 million in real assets from Balancer liquidity pools.
According to Yearn Finance, the incident was confirmed on Sunday, revealing that the exploit targeted the outdated yETH token product. The attacker was able to leverage a flaw in the token’s minting logic, effectively generating an almost limitless supply of yETH. This massive influx of counterfeit tokens was subsequently exchanged for real assets, leading to a rapid drain of liquidity.
Blockchain analyses indicate that the exploit involved siphoning off about $8 million from the yETH stableswap pool and an additional $0.9 million from the yETH-WETH pool on Curve. Fortunately, Yearn’s V2 and V3 Vaults remained unaffected by this exploit, which indicates that the issue was isolated to the older yETH implementation rather than the newer vault infrastructure currently used by the protocol.
To address the situation, Yearn Finance is collaborating with SEAL 911 and ChainSecurity to conduct a comprehensive post-mortem analysis. Initial assessments of the hack have noted its complexity, drawing comparisons to a recent exploit affecting Balancer.
In a bid to obscure their tracks, the attacker swiftly transferred approximately 1,000 ETH—valued at around $3 million—through the privacy protocol Tornado Cash in a series of transactions. These transactions have raised red flags among blockchain observers, who noted the use of several helper smart contracts that were deployed moments before the main exploit. These contracts were designed to self-destruct immediately after the attack, erasing on-chain evidence and complicating subsequent forensic investigations.
This is not the first time Yearn Finance has faced security challenges. In 2021, the protocol incurred losses of $11 million from its yDAI vault, and a faulty script in late 2023 resulted in the loss of a significant portion of a treasury position, although user funds were not directly affected in that instance.
Despite this most recent exploit, Yearn’s Total Value Locked (TVL) continues to exceed $600 million, suggesting that a considerable number of DeFi users still place trust in its core systems. However, the governance token YFI experienced a temporary decline of 4 percent, trading near $4,002 shortly after the incident and currently priced at approximately $3,898.
As experts observe this incident, it serves as a poignant reminder that legacy risks remain a constant threat in DeFi, particularly for protocols with long histories and evolving codebases. Although Yearn Finance managed to isolate the issue and maintain confidence in its newer systems, the breach underscores the importance for DeFi protocols to retire or enhance older contracts, as these vulnerabilities can resurface in unexpected ways.
