Incident drains liquidity from liquid-staking index token; Yearn says vaults remain unaffected
Yearn Finance is examining an apparent exploit involving its yETH product after an attacker drained a significant portion of the pool’s liquid staking token reserves. Early blockchain traces indicate that a portion of the proceeds — roughly 1,000 ETH, or about $3 million — was moved through the privacy tool Tornado Cash.
The incident centers on yETH, a Yearn product that bundles multiple liquid staking tokens into a single asset. According to on-chain activity, the attacker deployed a sequence of new smart contracts to create an effectively unlimited supply of yETH, allowing them to withdraw the pool’s assets in a single transaction. Several of those contracts self-destructed immediately afterward, a pattern often associated with attempts to obscure technical footprints.
Before the exploit, the yETH pool held approximately $11 million in value. The precise size of the loss remains uncertain as investigators continue to analyze the attacker’s transactions and the state of the remaining assets.
Yearn acknowledged the issue publicly, confirming that it is investigating the yETH stableswap pool but emphasized that its V2 and V3 vaults are not affected. The protocol has previously faced isolated security events, including a 2021 exploit and a treasury misconfiguration in late 2023.
Further updates are expected as the investigation develops.
Disclaimer
This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.