PeckShield says hackers minted unlimited yETH, emptied a custom sETH/rETH pool, and laundered more than $3 million worth of ETH through Tornado Cash.
Yearn Finance suffered a major security breach, resulting in a loss of approximately $9 million.
The exploit targeted an older, stable swap pool tied to the protocol’s yETH token, allowing the hackers to mint an infinite number of coins.
Error in the yETH contract
Blockchain security company Peckshield was the first to report the incident via to report“Yearn Finance suffered an attack that resulted in a total loss of ~$9 million.”
According to the analysts, the attacker exploited a critical vulnerability in the yETH token contract, allowing them to mint new yETH without posting sufficient collateral, effectively inflating the token supply at will. This loophole was then used to drain liquidity from a pool outside of Yearn’s core vault products.
The target of the exploit was a custom contract designed to merge Ethereum derivatives such as stETH and rETH. The protocol later shared that the yUSND pool and Nerite’s vaults remained secure and unaffected by the protocol error. After the attack, those responsible laundered more than $3 million in stolen ETH through Tornado Cash. Meanwhile, the remaining $6 million worth of various Ethereum assets remain in their wallet address (0xa80d…c822) according to the latest blockchain scans.
Desire too confirmed the compromise on Affected users were also advised to open a support ticket on the project’s Discord.
Early research results
The platform announced that it has assembled a war room consisting of SEAL911 and its audit partner, Chain Security, with a full post-mortem investigation underway.
You might also like:
Initial findings suggest that the incident shares a similar level of technical complexity with the recent Balancer hack. That unauthorized access resulted in the theft of more than $120 million through the platform’s main protocol and through various forks.
On-chain analysts have traced the Balancer event to a precision loss bug in the integer fixed point arithmetic used to calculate scaling factors within Composable Stable Pools, which are optimized for near-parity asset pairs such as USDC/USDT or WETH/stETH.
SlowMist later said the flaw led to subtle but repeated price discrepancies during swaps, especially when attackers performed multiple operations within a single transaction using the batch swap feature.
Meanwhile, Yearn’s incident comes shortly after Korean exchange Upbit suffered its own security flaw, which resulted in the loss of $50 million worth of Ethereum.
SECRET PARTNERSHIP BONUS for CryptoPotato readers: Use this link to register and unlock $1,500 in exclusive BingX Exchange rewards (limited time offer).
#Yearn #Finance #loses #million #due #misuse #yETH #Vault #transaction