Yearn Finance: A $9M Hack and the Aftermath
A Recurring Problem
Yearn Finance, a prominent decentralized finance (DeFi) platform, has once again fallen victim to a significant security breach. This time, the hack resulted in a loss of $9 million, marking the fifth incident in five years.
The latest attack targeted the yETH stableswap pool, draining various Ether (ETH) liquid staking tokens (LSTs).
The Hacker's Strategy
The attacker exploited a numerical bug and an invariant-management issue to mint a large number of yETH tokens, which were then used to withdraw the underlying LSTs.
Despite the substantial theft, not all was lost. The issuer of 850 pxETH tokens, worth $2.4 million, burned them, effectively reducing the hacker's loot. This action followed a warning message sent to the hacker's address, cautioning about the risk of tokens being burned or blacklisted.
Yearn's Response
Yearn Finance attempted to negotiate with the hacker, offering fake bounty deals and urging the attacker to open a communication channel to discuss terms constructively. This highlights the platform's willingness to recover the stolen funds.
An observer noted the efficiency of the hack transaction, which covered the entire attack flow, including:
- Deploying attack contracts
- Conducting the attack
- Self-destructing the contracts
A History of Vulnerabilities
This is not the first time Yearn Finance has faced such issues:
- 2023: A yUSDT vault lost $11 million after three years of activity.
- 2021: A flash loan attack drained $11 million from the DAI v1 vault, with the hacker profiting $2.8 million.
Operational Mistakes
Yearn's treasury has also suffered from operational errors:
- December 2023: A botched swap lost $1.4 million.
- September 2023: The treasury covered a $25,000 malfunction in the yUSND vault.
