Yearn Finance suffered a $9 million hack on Sunday evening, marking the long-established decentralized finance platform’s fifth incident in as many years.
The attack, which occurred just after 9pm UTC, hit the yield farm’s yETH stableswap pool, extracting various ether (ETH) liquid staking tokens (LSTs).
Of these, 850 of Redacted Cartel’s LST, pxETH, (worth $2.4 million) was burned by the issuer, with an equivalent amount simultaneously minted to the team’s multisig.
Read more: DeFi yield aggregator Yearn discloses September incident in yUSND vault
An on-chain message warned the hacker of this possibility approximately eight hours earlier. It reads, “your erc20s are at risk of being burnt and/or blacklisted,” and advises to “deposit them to a pool or swap to ETH to prevent such happenings.”
In addition to the earlier warning, the hacker’s address received two fake bounty offers. Later, a Yearn deployer address urged the attacker to “open a communication channel” for the purposes of “discussing terms constructively.”
Read more: DeFi platform Yearn exploits itself, begs for money back
Yearn’s third hack
The hack was down to a combination of a “numerical bug: unchecked underflow/overflow” and an “invariant-management issue,” according to the post-mortem report published by Yearn’s pseudonymous “bunny talisman” Banteg.
This led to the attacker minting 235e36 yETH tokens which it then used to withdraw the underlying LSTs.
Banteg was keen to point out that yETH is separate to Yearn’s core vault products and “doesn’t share any code with vaults.”
One observer pointed out the efficiency of the hack transaction, which covered the entire attack flow. They claim it “deployed attack contracts, conducted the attack, tornado cashed part of the profits, and self-destructed the contracts.”
Launched in September 2023, it took over two years for someone to exploit the vulnerability in the yETH pool.
Earlier that year, a yUSDT vault lost $11 million after three years of activity. Meanwhile, back in 2021, a flash loan attack drained another $11 million from the DAI v1 vault, with the hacker profiting just $2.8 million.
Two operational mistakes have also cost the Yearn treasury.
A botched swap in December 2023 lost $1.4 million, and the treasury covered a $25,000 malfunction in the yUSND vault in September, announced last week.
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.
Source: https://protos.com/yearn-hacker-loses-2-4m-of-9m-loot-as-tokens-burned-from-wallet/