$3 Million in ETH Stolen from Yearn’s yETH Pool and Sent to Tornado Cash

TLDR

• Yearn Finance’s yETH product was hit by an exploit that drained its entire pool of funds.
• Attackers minted unlimited tokens and withdrew millions from Balancer pools.
• The stolen 1,000 ETH, worth $3 million, was routed through Tornado Cash to obscure its origin.
• The exploit targeted newly deployed smart contracts that self-destructed after the transaction.
• Yearn confirmed the breach but assured that its V2 and V3 Vaults were unaffected.

Yearn Finance’s yETH product was hit by a serious exploit on Monday, draining its entire pool. Attackers minted an unlimited number of tokens, withdrawing millions from Balancer pools. Blockchain data indicates that the attackers pocketed roughly 1,000 ETH, which is worth around $3 million. This sum was then funneled through Tornado Cash.

Exploit Drains yETH Pool

The exploit affected Yearn Finance’s yETH, a token that combines multiple liquid-staked Ethereum derivatives (LSTs). The attackers exploited newly deployed smart contracts, which self-destructed after the transaction. According to blockchain data, the total value of the yETH pool was around $11 million before the exploit.

“Heavy transactions on LSTs” were initially flagged by an X user known as Togbe, who raised alarms about the suspicious activity. Yearn later confirmed the breach, assuring users that the V2 and V3 Vaults remained secure and unaffected. Despite this, the attack drained significant funds from the pool.

Tornado Cash Involved in the Exploit

Following the exploit, the stolen 1,000 ETH was sent through Tornado Cash, a well-known cryptocurrency mixer. This allowed the attackers to obfuscate the origin of the funds, making it harder to trace. The mixer has long been associated with laundering stolen funds, and its involvement in this attack is consistent with past exploits.

The use of Tornado Cash in this exploit highlights an ongoing concern in the crypto space. It serves as a reminder of the challenges related to tracking illicit transactions. Blockchain security firm CertiK confirmed the stolen funds were routed through Tornado Cash, adding to the growing list of exploits involving the service.

Previous Yearn Finance Security Incidents

This isn’t the first time Yearn Finance has suffered a security breach. In 2021, the platform lost $11 million when its yDAI vault was hacked. At the time, the attacker took off with $2.8 million in stolen funds. Yearn’s recent history with hacks has raised concerns about the continued security of its platform.

A faulty script in December 2023 wiped out 63% of a position in Yearn’s treasury. Despite these setbacks, the platform has maintained its reputation in the DeFi space. The recent attack has intensified scrutiny over the use of outdated contracts and the need for enhanced security measures.

DeFi Ecosystem Suffers Major Losses

The exploit on Yearn Finance is part of a broader trend of DeFi attacks. CertiK reported that the crypto industry lost an estimated $127 million due to hacks and exploits. The year’s largest DeFi exploit occurred on the Balancer platform, where a cross-chain attack resulted in a loss of $116 million.

With these incidents, the security of decentralized finance platforms remains a critical issue. Hackers are increasingly targeting DeFi platforms, draining millions and sending funds through services like Tornado Cash. The ongoing issues with DeFi security have left many in the community questioning how to protect against such attacks.

The post $3 Million in ETH Stolen from Yearn’s yETH Pool and Sent to Tornado Cash appeared first on CoinCentral.