DeFi platform Yearn Finance suffered a major breach on November 30. Security firm PeckShield flagged the breach on X, claiming that the hackers minted a “near-infinite” number of yETH tokens leading to the depletion of the pool in one transaction. An estimate of $9 million have been drained out of the protocol, that has been operating in the DeFi space since 2020 and has held over a billion dollars in assets since being launched, as per Kriptomat data.
According to PeckShield, the attacker is already moving the stolen funds around. The cybersecurity firm reported that one thousand ETH tokens amounting close to $3 million have been wired into crypto mixer Tornado Cash. Through this step, the actor will be able to swap the stolen tokens for others from a common pool of multiple tokens, breaking the possible chain of detection and identification.
Sharing the exploiter’s wallet address, PeckShield said it still holds around $6 million of the funds drained from Yearn Finance.
The attackers targeted the yETH stableswap pool on Yearn Finance. The Yearn Ether token (yETH), backed 1:1 by ETH, is a community-governed index token that is composed of multiple ETH liquid staking tokens that do not churn any yield.
The details of the attack were outlined on the official handle of Yearn (@yearnfi). The platform has recently posted that it has managed to recover $2.39 million with help from Plume and Dinero teams.
A post on from the account said, “Initial analysis indicated this hack has a similar high complexity level to the recent Balancer hack, so please bear with us as we perform the post-mortem analysis. There is no other Yearn product using similar code to what was impacted.”
The platform has asked impacted users to raise a ticket on its Discord channel for assistance as it continues efforts to recover the stolen assets. Investigation in the incident is ongoing and the unidentified attacker still remains at large.
The hack of Yearn Finance comes just days after $30 million were pulled out of South Korea’s Upbit exchange.