Yearn Finance Suffers $9M Blow – Hackers Have a Field Day!

by

It is with great lamentation that we must report Yearn Finance, that once venerable bastion of crypto investment, has fallen prey to a most unfortunate calamity. In a singularly audacious exploit, the sum of approximately $9 million was spirited away, as if by magic, into the hands of nefarious hackers. 😱

The dastardly exploit targeted none other than a legacy stable swap pool, forever associated with the protocol’s yETH token. The scheme allowed these digital villains to mint an infinite number of coins-truly a feat that would make even the most cunning rogue raise an eyebrow. And how they must have chuckled as the coins poured forth! 💰

Flaw in the yETH Contract

The alarm was first sounded by the ever-vigilant blockchain security firm, Peckshield, who, in their own words, informed us via X that “Yearn Finance suffered an attack resulting in a total loss of ~$9M.” How dreadfully cryptic and, dare we say, dramatic? But one cannot argue with the facts. 👀

The attackers, displaying their usual flair for malfeasance, exploited a rather grievous flaw in the yETH contract. This loophole permitted them to mint fresh yETH without so much as a nod to collateral, causing the token supply to balloon at their leisure. Naturally, this most unsporting act allowed them to drain liquidity from a pool outside of Yearn’s core vault products-truly a masterstroke of villainy. 🎭

The protocol later clarified that a custom-built contract, intended to aggregate staked Ethereum derivatives like stETH and rETH, was the prime target. Yet, not all was lost, as Yearn proudly declared that the yUSND pool and Nerite’s vaults remained unscathed, much to their relief. (Can we have a round of applause for small victories?) 🥳

Once the loot was pilfered, the criminals did what criminals do-they laundered over $3 million through Tornado Cash. Meanwhile, the remaining $6 million, still trapped in their ill-gotten wallet (address 0xa80d…c822), languishes there, a symbol of their criminal ingenuity. 😒

Yearn, in a valiant attempt to maintain some semblance of control, confirmed the breach on X, stating that $0.9 million was lost from the yETH-WETH stableswap pool on Curve, while an additional $8 million was drained from the affected pool. Users who have been so cruelly victimized have been encouraged to submit a support ticket to the project’s Discord. Oh, how magnanimous of them! 📝

Early Investigation Findings

In response to this calamity, Yearn Finance has assembled a ‘war room’-a dramatic term indeed-comprising SEAL911 and its trusted audit partner, Chain Security, to launch a full postmortem investigation. Let us hope they uncover more than just the scent of stale coffee and desperation. ☕

Preliminary findings suggest that the breach bears a striking resemblance to the recent Balancer hack, in which a staggering $120 million was purloined. One can only imagine the cries of disbelief. The Balancer hack was traced to a precision-loss bug in the fixed-point arithmetic used within Composable Stable Pools, which are optimized for asset pairs like USDC/USDT or WETH/stETH. Not quite as thrilling as a sword fight, but equally devastating in its own way. ⚔️

SlowMist, ever the cryptic prophet, revealed that this flaw led to subtle but repeated price discrepancies during swaps, especially when attackers executed multiple operations in a single transaction using the batch swap function. A most devious method indeed. 🕵️‍♂️

And, of course, this breach comes hot on the heels of another unfortunate event-Korean exchange Upbit’s own security lapse, which led to the loss of a cool $50 million in Ethereum. One can only hope this trend does not become the norm. 🤦‍♀️

Read More

2025-12-01 13:49