Yearn Finance has been attacked again, with the yETH pool losing $3 million worth of ETH transferred to Tornado Cash.

The well-known DeFi yield protocol Yearn Finance's yETH liquid staking token pool has been attacked. The attacker drained the liquidity pool by infinitely minting yETH, profiting approximately 3 million dollars worth of ETH, which was then transferred to the mixer Tornado Cash. This incident resulted in significant losses for the yETH pool, which was valued at around 11 million dollars before the attack. Yearn officials have confirmed that they are investigating the matter and emphasized that Yearn Vaults were not affected. This marks another security crisis for Yearn following the yDAI vulnerability incident in 2021.

Analysis of the Attack Incident

Blockchain data shows that on December 14, Yearn Finance's yETH liquid staking Token pool suffered a meticulously planned attack, where the attacker exploited a contract vulnerability to achieve an almost unlimited issuance of yETH and drained the entire funding pool in a single transaction. yETH, as an index Token aggregating various popular liquid staking Tokens, was originally designed to provide users with a one-stop Ethereum staking yield solution, and this vulnerability directly threatens the core mechanism of the product.

During the attack, the attacker deployed multiple brand new smart contracts to execute the attack process. Some contracts self-destructed immediately after the transaction was completed, a tactic clearly aimed at concealing traces of the attack and increasing tracking difficulty. Ultimately, the attacker successfully transferred 1000 ETH (approximately 3 million USD at the time) into the mixing protocol Tornado Cash, further severing the traceability of the fund flow.

The attack was initially discovered by a user named Togbe on platform X, who noticed unusual activity while monitoring large transfers. Togbe revealed to the media: “The net transfer data indicates that the yETH super minting feature allowed the attackers to drain the liquidity pool, profiting approximately 1000 ETH. Although some ETH was sacrificed during the attack, the attackers still made a profit.” This discovery promptly alerted the community to pay attention to the security incident.

attack key time nodes

• Exploit: The attacker exploits the unauthorized super minting function to infinitely issue yETH.
• Fund extraction: A single transaction drained the yETH pool, worth approximately 11 million dollars.
• Fund transfer: 1000 ETH (approximately 3 million USD) transferred to Tornado Cash
• Evidence concealment: Some attacking contracts self-destruct, increasing the difficulty of investigation.

In-Depth Analysis of Technical Vulnerability Mechanisms

From a technical perspective, the core vulnerability of this attack lies in the minting permission control flaw of the yETH contract. The attacker seems to have found a way to bypass the normal minting restrictions and triggered the so-called “super minting” feature, which should have been enabled under strict conditions but was unexpectedly accessed by an unauthorized party. The liquid staking token index itself involves complex token economics design, and any permission vulnerability could lead to catastrophic consequences.

The new deployment contract and self-destruct mode adopted by the attackers demonstrate the typical operational characteristics of professional hackers. By using disposable contracts, the attackers not only effectively concealed the attack logic but also significantly increased the difficulty of post-attack forensics. Blockchain security experts point out that this technique requires the attackers to have an in-depth understanding of Yearn's contract architecture, which may be the result of internal code leaks or long-term covert research.

It is worth noting that yETH, as an aggregator of various liquid staking tokens, relies on the correct anchoring of underlying assets for its price stability. When an attacker infinitely mints yETH, the assets in the pool are largely exchanged for other high liquidity tokens, which are ultimately converted into ETH for withdrawal. This attack path exposes the single point of failure risk in the design of index tokens; that is, once the core minting function is breached, the entire economic model will quickly collapse.

Yearn Security History and Emergency Response

Yearn Finance quickly released an official statement through platform X after the incident: “We are investigating the event involving the yETH LST stable exchange pool; Yearn Vaults (including V2 and V3 versions) are unaffected.” This prompt response helps stabilize community sentiment, but cannot immediately recover financial losses. The team is currently conducting a comprehensive review of the contract code to assess the root cause of the vulnerability.

Looking back at Yearn's security history, this is not the first time the protocol has encountered significant vulnerabilities. In 2021, Yearn's yDAI vault was attacked, resulting in a loss of 11 million dollars, and the attacker ultimately profited 2.8 million dollars. In December 2023, Yearn suffered a 63% loss on a treasury position due to a script error, but fortunately, no user funds were affected at that time. These consecutive security incidents have raised doubts about the quality of Yearn's code.

What is even more concerning is that Yearn founder Andre Cronje has left the team two years after the project's launch, and whether his absence has affected the security development roadmap of the protocol has become a focal point of community discussion. Although the subsequent development team of Yearn has been actively maintaining the protocol, the departure of the founder has undoubtedly had a profound impact on the technical development direction of the project. Currently, the Yearn team has not announced a specific compensation plan or a timeline for vulnerability fixes.

DeFi Security Ecosystem and User Protection Recommendations

The recent yETH attack incident once again highlights the security challenges faced in the DeFi sector. According to statistics from blockchain security agencies, losses in the DeFi sector due to vulnerabilities and attacks have exceeded $400 million in the first half of 2024, with contract logic flaws and improper access control being the main attack vectors. Liquid staking derivatives, as an emerging track, have more complex product structures that are more likely to become targets for hackers.

For ordinary DeFi users, this event provides important insights into risk prevention. When participating in similar index tokens or aggregator products, one should fully understand the project's security audit situation, especially focusing on the permission settings for core minting and redemption functions. At the same time, diversifying investments remains an effective strategy to reduce the risks of a single protocol and to avoid excessive exposure to a specific protocol or product.

From an industry perspective, this attack may accelerate the development of DeFi insurance products. Insurance protocols such as Nexus Mutual have begun to provide coverage for various DeFi products, while institutional-grade custody solutions are also exploring smart contract vulnerability insurance services. As regulatory frameworks become clearer, the security standards of DeFi projects are expected to shift from voluntary audits to mandatory certifications, providing users with more comprehensive protection.

The DeFi Industry's Alarm Rings Constantly

The Yearn Finance yETH pool attack not only exposed the vulnerabilities of complex DeFi products in terms of code security but also sparked deep reflections on the sustainability of liquid staking derivatives. Once Ethereum completes its transition to proof of stake, the liquid staking track has become a testing ground for innovation and risk. This loss of 3 million USD serves as a reminder to the industry: while pursuing yield optimization, the fundamental security architecture must not be overlooked.

As the investigation continues, the Yearn team faces not only the challenge of technical fixes but also a long-term task of rebuilding community trust. For the entire Decentralized Finance ecosystem, this incident could become an important opportunity to promote the standardization of security audit processes and the improvement of bug bounty programs. Only through collective efforts to raise the security threshold can we build a more resilient decentralized finance infrastructure.