On November 30, the Yearn Finance protocol experienced a significant security breach, resulting in the theft of approximately $9 million. This incident was reported by blockchain security experts at PeckShield, who noted that an exploit in the Yearn Ether (yETH) product was responsible for the loss.
According to PeckShield, the attackers were able to mint an exceedingly large number of yETH tokens, which allowed them to drain the entire pool in a single transaction. Approximately 1,000 ETH, worth about $3 million, was subsequently transferred to the crypto mixer Tornado Cash. PeckShield documented the attack through a series of alerts on social media.
In a statement following the exploit, the Yearn team confirmed that the attack stemmed from a vulnerability within the code of their yETH product. They clarified that this particular contract was a custom version of popular stableswap code and was not linked to other Yearn offerings, asserting that their V2 and V3 vaults remained secure.
Preliminary assessments indicated that the losses fell mainly into two categories: around $8 million from the affected stableswap pool and an additional $0.9 million from the yETH-WETH stable swap pool on Curve. The team noted that the complexity of the hack bore similarities to a recent exploit involving the Balancer protocol, urging patience as they conducted a thorough analysis.
The ramifications of the hack extended beyond the immediate financial losses, as the price of Yearn’s native token, YFI, dropped by 5.5% following the news of the incident. At the time of reporting, YFI was trading around $3,900, with a market capitalization of $132.6 million. Additionally, the Total Value Locked (TVL) in the protocol saw a decrease from $432 million to $410 million within a day’s span—down sharply from its peak of $6.7 billion in November 2021.
This incident is not Yearn Finance’s first encounter with security vulnerabilities. In 2021, hackers siphoned off $2.8 million from the v1 yDAI pool, although the project had swiftly compensated the affected users. Furthermore, in December 2023, a “faulty scenario” in a multisig transaction led to the loss of 63% of the protocol’s treasury funds, amounting to approximately $1.4 million during a routine token fee conversion.
Overall, the Yearn Finance protocol finds itself navigating complex challenges in the rapidly evolving landscape of decentralized finance, as concerns over security remain a significant issue for both the project and its users.
