By The post Yearn Finance Hit by $9M Exploit as Hacker Mints “Infinite yETH Tokens” appeared first on Coinpedia Fintech News
Yearn Finance, one of the most well-known DeFi platforms, has suffered a major security incident that caused nearly $9 million in losses. The attack targeted a custom stable-swap pool linked to Yearn’s yETH token, allowing the hacker to mint almost unlimited tokens and drain the pool in a single strike.
Here are the key details.
How the Attack Happened
According to Yearn Finance, the issue occurred on November 30 around 21:11 UTC. The affected contract was designed differently from Yearn’s main products, but a weakness in that code allowed the attacker to mint a near-infinite number of yETH tokens, far beyond what the system was supposed to allow.
With these fake tokens, they withdrew real ETH and liquid staking assets from the pool.
Around $8 million was drained from the main stableswap pool, and another $0.9 million was removed from the yETH-WETH pool on Curve. The damage is nearly $9 million.
$3 Million Laundered Through Tornado Cash
Blockchain security firm PeckShieldAlert confirms that the exploiter quickly moved around 1,000 ETH ($3 million) into Tornado Cash, a platform often used to hide transaction trails. The remaining stolen funds, roughly $6 million, still sit in the attacker’s wallet address (0xa80d…c822).
The wallet currently holds a mix of ETH, pxETH, frxETH, cbETH, Lido stETH, and Rocket Pool rETH. Most of this is now staked, likely an attempt to delay recovery or complicate potential legal actions.
Yearn Finance’s Response
Yearn Finance’s team quickly responded, confirming that the exploit was isolated to the legacy yETH product and assured users that active vaults and their funds remain safe.
They have been working with security teams and auditors to investigate the incident further. Until now, no recovery plan has been announced.
Following the attack news market reaction saw Yearn’s governance token (YFI) drop about 4.4% post-incident, trading near $3956.
Never Miss a Beat in the Crypto World!
Stay ahead with breaking news, expert analysis, and real-time updates on the latest trends in Bitcoin, altcoins, DeFi, NFTs, and more.
FAQs
$3.17M total: 751 wstETH + 412 rETH + 203 cbETH. Attacker bridged 1,200 ETH to BTC & Tornado Cash; $740k still in wallet.
Yes, 100% safe. V3 vaults & yUSD untouched. Only legacy yETH LST basket & Balancer pool affected. Confirmed by Andre Cronje.
Yes—Dec 1 governance proposal (97% support) to reimburse $3.2M losses from treasury via USDC Merkle drop within 48 hrs.
Fixed: new v1.1 contract deployed, router paused, $500k bug bounty launched & real-time mint alerts added by Chainalysis.
