Yearn Finance's yETH Exploited: Millions Drained

Yearn Finance experienced a major exploit targeting its yETH product, resulting in the loss of approximately $2.8 million. The vulnerability stemmed from an infinite-mint flaw in the yETH token contract, allowing the attacker to create a massive amount of yETH and subsequently drain liquidity from Balancer pools.

What Happened?

• The attack occurred when a malicious wallet exploited the infinite-mint vulnerability to create roughly 235 trillion yETH tokens in a single transaction.
• The attacker then used these newly minted tokens to drain assets, primarily ETH and Liquid Staking Tokens (LSTs), from Balancer liquidity pools.
• Approximately 1,000 ETH was laundered through Tornado Cash in the aftermath.
• Several helper contracts used in the exploit were self-destructed shortly after to conceal the trail.

Impact and Response

Yearn Finance has stated that V2 and V3 Vaults were unaffected, and the vulnerability was isolated to the legacy yETH implementation. The protocol's Total Value Locked (TVL) remains above $600 million, suggesting that core systems were not compromised.

Market Reaction

Interestingly, the price of YFI initially spiked following news of the exploit. This appears to be due to short-sellers covering their positions after initial claims of a broader "Yearn exploit" prompted heavy shorting. The thin liquidity of YFI amplified this price movement.

Key Takeaways

• The exploit highlights the importance of thorough security audits, especially for older contracts.
• Even seemingly isolated vulnerabilities can have significant financial consequences.
• Market reactions to exploits can be unpredictable, especially for low-liquidity assets.

Ongoing investigations aim to determine if any recovery options exist for the stolen funds. Users are advised to stay informed about official Yearn Finance announcements.