Yearn Finance is suspected of being attacked, and the hacker has sent 1,000 ETH of stolen funds to Tornado Cash.

On December 1, The Block reported that Yearn Finance appears to have been attacked, with millions of dollars worth of LST (liquid staking tokens) being stolen from its popular Yearn Ether (yETH) product. Blockchain data shows that the attacker exploited a carefully constructed vulnerability to mint an almost unlimited amount of yETH tokens in a single transaction, completely draining the pool. The attack transaction resulted in 1,000 ETH (approximately $3 million at current prices) being sent to the mixing protocol Tornado Cash. This attack involved several newly deployed smart contracts, some of which self-destructed after the transaction. The exact scale of the losses is still unclear, but before the attack, the yETH pool was approximately $11 million in size. The hacking incident was first discovered by X user Togbe, who noticed the attack while monitoring large transfers. “Net transactions show that the excessive minting of yETH allowed the attacker to somehow drain the fund pool and gain about 1,000 ETH in profit,” Togbe stated in a message, “For some reason, part of the ETH was sacrificed in the process, but they ultimately still profited.” “We are investigating the incident involving the yETH LST stable exchange pool,” Yearn stated on X, “Yearn's V2 and V3 Vaults were not affected.” Yearn Finance had previously suffered an attack in 2021 that impacted its yDAI vault, resulting in a loss of $11 million, with the hacker ultimately profiting $2.8 million. In December 2023, the protocol lost 63% of a certain vault position due to a script error, but user funds were unaffected. Yearn founder Andre Cronje established the project in 2020 and left two years later.