A significant incident involving the decentralized finance platform Yearn Finance occurred on Monday, leading to the draining of its yETH product pool in a single transaction. The platform confirmed the event and reassured users that both its V2 and V3 Vaults remain secure and unaffected by the situation. Yearn provided an update stating that they are investigating the incident linked to the yETH liquid staked token (LST) stableswap pool.
Blockchain data revealed that the exploit resulted in the minting of an astronomical number of yETH tokens, which allowed attackers to drain millions from Balancer pools. Preliminary reports indicate that the exploit yielded approximately 1,000 ETH for the attackers, equating to a profit of around $3 million, which was subsequently routed through the Tornado Cash mixer for further obfuscation.
The yETH token is an index product comprised of various liquid-staked versions of Ethereum, also known as Ethereum Liquid Staking Derivatives (LSTs). The issue was initially flagged by a blockchain observer who noted a surge in “heavy transactions” related to various LSTs, including those from Yearn, Rocket Pool, Origin, and Dinero.
The investigation into the incident pointed to the deployment of several newly created smart contracts that self-destructed after execution, complicating efforts to ascertain the extent of the financial losses. Prior to the exploit, the total value of the yETH pool was estimated to be around $11 million.
In the aftermath of the attack, community reactions varied, with a growing concern over the reliance on outmoded smart contracts in decentralized platforms. Furthermore, Yearn Finance has faced similar challenges in the past, notably an incident that impacted its yDAI vault, where it lost $11 million in value and the hacker managed to abscond with $2.8 million at that time.
The incident adds to broader concerns regarding security within the DeFi sector. Recent data from blockchain security firm CertiK indicated that the crypto industry experienced an estimated $127 million in losses due to hacks and exploits in November alone, with the actual financial impact exceeding $172 million. These numbers were slightly mitigated, as $45 million of the stolen funds were reportedly recovered post-incident.
Among the notable breaches in November, the attack on the Balancer DeFi protocol was highlighted as one of the most significant, causing losses upwards of $116 million in a complex cross-chain exploit that affected multiple blockchains. In total, DeFi incidents accounted for approximately $135 million in losses, while exchange hacks contributed to $29.8 million in total thefts during the same period.
The ongoing discussions within the community regarding security practices emphasize the need for enhanced vigilance and possibly more stringent protocols to protect against future attacks.
