Yearn Finance suffers a loss of 9 million USD from an infinite minting attack, with methods similar to the Balancer incident?

The decentralized yield protocol Yearn Finance has once again experienced a major security incident, as its Yearn Ether (yETH) liquidity pool was attacked today. The hacker exploited a vulnerability in the customized stable exchange contract, successfully executing an “infinite minting” operation and draining the entire pool, resulting in a loss of approximately 9 million USD. Yearn emphasized that this incident is limited to a single custom contract, and other Vault products are not affected.

How did the attack happen? Yearn suffered an infinite minting attack, resulting in a loss of 9 million dollars.

On-chain monitor Togbe pointed out that he first observed a series of suspicious activities related to yETH addresses, including temporary contract deployments, strange exchange paths, and extensive interactions with Tornado Cash. He subsequently clarified the core of the attack, which lies in the customized stable exchange (stableswap) contract used by yETH.

He pointed out that yETH itself is an index asset designed by Yearn to integrate various LSTs, and the attacker found a vulnerability in the contract logic, allowing them to mint an almost unlimited amount of yETH. These tokens were then exchanged for real assets in the pool, including ETH and other LSTs, causing the entire pool to be drained in a single transaction.

The contract has minted astronomical levels of yETH.

According to reports, the attack was composed of multiple temporarily deployed smart contracts. Some of these contracts self-destructed immediately after completing the attack, indicating that the attack path was meticulously planned, which also increased the difficulty of tracing. Initially, the outside world only saw about 1,000 ETH (, approximately 3 million USD ), being transferred to Tornado Cash; in reality, the total losses from the incident were far greater.

Is the impact expanding? Yearn emphasizes that V2, V3, and other products are all safe.

Yearn officially announced immediately, stating that the main liquidity pool suffered a loss of about 8 million USD, with another approximately 900,000 USD coming from the yETH-WETH pool on Curve, totaling a loss of about 9 million USD.

The team immediately reassured users, emphasizing that the incident was only related to the customized stable (stableswap) contract used by yETH and did not involve the Vault design primarily deployed by Yearn. In other words, both V2 and V3 Vaults were not affected, and related products such as yCRV, Katana, and Morpho continued to operate normally.

The silver lining in this misfortune is that yETH has not been used as collateral by major lending protocols in the market, thus avoiding triggering a chain liquidation or systemic pressure, allowing the impact to be controlled within a relatively limited scope.

The cybersecurity team Shield pointed out that, in addition to some funds that have been laundered into Tornado Cash, the attacker's address currently still holds about 6 million USD that has not been moved, possibly still observing the progress of the investigation.

The method is similar to a Balancer attack, and the subsequent investigation is still ongoing.

The Yearn team stated that the complexity of this attack is quite high, even sharing some similarities with the recent Balancer incident, including multi-layer contract interactions, trading logic, and a deep understanding of the curve pricing model. The officials are conducting a comprehensive investigation with several auditing partners, ChainSecurity, to release a further complete report as soon as possible.

( Balancer chain reaction? Stream Finance exploded with a loss of 93 million dollars, xUSD decoupled and collapsed )

This article discusses Yearn Finance suffering a loss of 9 million USD due to an infinite minting attack, similar to the Balancer incident? It first appeared on Chain News ABMedia.