yETH has suffered an infinite mint attack! 3 million dollars worth of ETH flowed into Tornado Cash for Money Laundering.

The Yield Farming protocol Yearn Finance was attacked, resulting in the theft of liquid staking tokens from its Yearn Ether (yETH) product. The yETH liquidity pool was drained by a carefully designed exploit, which minted nearly an infinite number of yETH tokens through a single transaction. This transaction led to 1000 ETH (approximately 3 million USD) being sent to the mixing protocol Tornado Cash.

Precision Attack Techniques for Infinite Minting Vulnerabilities

(Source: Etherscan)

Blockchain data shows that the yETH liquidity pool was apparently drained through a carefully designed exploit, which minted an almost unlimited number of yETH tokens in a single transaction, thereby emptying the liquidity pool. Yearn Ether (yETH) aggregates popular liquidity staking tokens (LSTs) into one token, allowing users to earn yields from multiple LSTs through a single asset. However, the complexity of this design also provides an opportunity for attackers.

The attacker seems to be able to mint unlimited yETH through a vulnerability. This “infinite minting” attack is one of the deadliest types of vulnerabilities in the DeFi space, allowing attackers to bypass normal collateral requirements and create tokens out of thin air. Under normal circumstances, users wishing to obtain yETH must deposit an equivalent amount of liquid staking tokens as collateral. However, the attacker discovered a logical flaw in the smart contract code that enabled them to mint large amounts of yETH without providing the corresponding collateral.

Blockchain data shows that the attack seems to involve multiple newly deployed smart contracts, some of which self-destruct after completing transactions. This tactic is extremely cunning, indicating that the attackers possess a high level of technical ability and a profound understanding of how smart contracts operate. By deploying temporary smart contracts to execute the attack and then immediately destroying these contracts, the attackers attempt to obscure their attack path, making post-event analysis and fund recovery more difficult.

The Three-Phase Process of Infinite Minting Attack

Phase One: Deploying the Attack Contract - The attacker deploys multiple carefully designed smart contracts that contain code exploiting the yETH minting logic vulnerability.

Phase Two: Execute infinite minting - Call these contracts through a single transaction to bypass the collateral check mechanism and mint a large amount of yETH Token.

Phase Three: Evidence Destruction - After the attack is completed, immediately destroy the temporarily deployed smart contracts in an attempt to cover up the attack methods and logic.

The recent hacker attack was first discovered by the user Togbe. Togbe told The Block that he noticed the obvious attack while monitoring large transfers. “Net transfer data shows that the yETH super minting allowed the attackers to drain the liquidity pool, profiting about 1000 ETH,” Togbe wrote in a message. “Although there were other ETH sacrificed, they still made a profit.”

Togbe's discovery highlights the double-edged sword nature of blockchain transparency. On one hand, all transactions are publicly accessible, making community monitoring possible. On the other hand, attackers can also leverage this transparency to study protocol vulnerabilities. The phrase “other ETH were sacrificed” suggests that attackers may have conducted multiple tests while refining their attack methods, resulting in some funds being lost during testing, but ultimately still successfully extracting a large amount of assets.

The Tracing Dilemma of Tornado Cash Money Laundering Path

This transaction resulted in 1000 ETH (worth approximately 3 million dollars at current prices) being sent to the mixing protocol Tornado Cash. Tornado Cash is the most well-known mixing service on Ethereum, which breaks the traceability of on-chain transactions by mixing the funds of multiple users together. Once the funds enter Tornado Cash, tracking their final destination becomes extremely difficult, which is why hackers and money launderers prefer to use this service.

The operation mechanism of Tornado Cash is based on zero-knowledge proof technology. Users deposit ETH into Tornado Cash's smart contract and receive an encrypted certificate. Later, users can use this certificate to withdraw an equivalent amount of ETH from any address, and the deposit address cannot be directly linked to the withdrawal address on the blockchain. An attacker deposits 1000 ETH in batches into Tornado Cash, which may be dispersed to dozens or even hundreds of different withdrawal addresses, making it difficult for law enforcement and analysis companies to track.

It is worth noting that Tornado Cash itself was sanctioned by the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) in August 2022, and using the service is considered illegal in the United States. However, since Tornado Cash is deployed as a smart contract on Ethereum and its code is decentralized and immutable, the sanctions have not truly shut down the service. Attackers apparently do not care about the legal risks, or they believe that the anonymity benefits of mixing coins outweigh the potential legal consequences.

Blockchain analysis companies may attempt to trace funds through the following methods: monitoring the subsequent flow of ETH withdrawn from Tornado Cash, looking for potential links to centralized exchanges or other identifiable entities; analyzing the attacker's transaction patterns and timestamps to find similarities with other known attacks; tracking the source of ETH used to pay gas fees, as attackers must use “clean” ETH to cover the transaction fees for mixing and withdrawals. However, experienced attackers often employ multi-layer mixing and time delay strategies, significantly reducing the success rate of these tracing methods.

Yearn Finance's Security Record and Historical Lessons

The total amount of losses is currently unclear, but the value of the yETH liquidity pool was approximately $11 million before the attack. Yearn wrote on X: “We are investigating an incident involving the yETH LST stablecoin pool. Yearn Vaults (including V2 and V3) are unaffected.” This statement attempts to reassure users, emphasizing that the security of the core product, Yearn Vaults, remains intact, and the losses are limited to the relatively new product, yETH.

However, this is not Yearn Finance's first encounter with a security incident. In 2021, Yearn Finance experienced a cyber attack, resulting in a loss of 11 million USD from its yDAI vault, with hackers stealing 2.8 million USD. That attack exploited flash loan attack techniques, profiting by manipulating the price oracle in a single transaction. In December 2023, the protocol stated that a faulty script led to a 63% loss in one of its vault positions, but user funds were unaffected.

Yearn Finance Security Incident Timeline

2021: yDAI vault was attacked by a flash loan, resulting in a loss of 11 million USD, with hackers profiting 2.8 million USD.

December 2023: A faulty script caused a 63% loss in the vault position (user funds were not affected)

2025: yETH suffered an infinite minting attack, with approximately 3 million dollars flowing into Tornado Cash.

These repeated security incidents have raised questions about the code audit and security processes of Yearn Finance. While the risks of attacks faced by DeFi protocols are inherently high, the three major security incidents suggest there may be systemic security management issues. Yearn's founder, Andre Cronje, established the project in 2020 and left it two years later. Cronje's departure may have impacted the project's technical leadership and security culture.

For DeFi users, this attack once again highlights the reality of smart contract risks. Even mature protocols like Yearn, which have been operating for years, may still have undiscovered vulnerabilities. Users should evaluate the security audit records, historical security incidents, code complexity, and the team's responsiveness when participating in DeFi protocols. Diversifying investments across multiple protocols rather than concentrating all funds on a single platform is an important strategy to reduce smart contract risks.