On December 1, according to The Block, Yearn Finance appears to have been attacked, with its Yearn Ether (yETH) product—which aggregates popular LSTs (Liquid Staking Tokens)—losing millions of dollars in LST assets.

Blockchain data shows that the attacker exploited a carefully crafted vulnerability to mint an almost unlimited amount of yETH tokens in a single transaction, completely draining the pool. The attack transaction resulted in 1,000 ETH (approximately $3 million at current prices) being sent to the mixing protocol Tornado Cash. The attack involved multiple newly deployed smart contracts, some of which self-destructed after the transaction. The exact scale of the loss is still unclear, but prior to the attack, the yETH pool was valued at around $11 million.

The hack was first discovered by X user Togbe, who noticed the attack while monitoring large transactions. "Net transfers show that the excessive minting of yETH allowed the attacker to drain the pool in some way, profiting about 1,000 ETH," Togbe stated in a message. "For some reason, some ETH was sacrificed in the process, but they still made a profit in the end."

"We are investigating an incident involving the yETH LST stable swap pool," Yearn stated on X. "Yearn's V2 and V3 Vaults are unaffected."

Yearn Finance was previously attacked in 2021, affecting its yDAI vault and resulting in an $11 million loss, with the hacker ultimately profiting $2.8 million. In December 2023, the protocol suffered a 63% loss in one of its vault positions due to a scripting error, but user funds remained unaffected. Yearn founder Andre Cronje established the project in 2020 and left two years later.