The crypto project Yearn Finance has confirmed a security incident involving a custom yETH stableswap pool that resulted in approximately $9 million in total losses.
Yearn Finance Hit by $9M DeFi Exploit, Recovers $2.39M pxETH
WRITTEN BY
SHARE
Impact Assessment and Containment
Yearn Finance, the decentralized finance ( DeFi) yield aggregator, has confirmed a security incident involving a custom yETH stableswap pool that resulted in approximately $9 million in total losses. The exploit, which occurred at 16:11 EST on Nov. 30, involved the unauthorized minting of a large amount of yETH.Crucially, Yearn stated that the impacted contract is a custom version of popular stableswap code and is entirely unrelated to other Yearn products.
In an update shared on X, the protocol confirmed that the main Yearn V2 and V3 vaults are not affected by this specific vulnerability. An initial analysis indicated the attack primarily targeted two areas: the yETH Stableswap Pool, with a direct impact of about $8 million, and the yETH-WETH Stableswap Pool on Curve, where approximately $0.9 million was siphoned.
Yearn said it moved quickly to form a joint “war room” with security partners, including the white-hat hacking collective SEAL911 and the yETH audit partner, ChainSecurity, to conduct a full post-mortem investigation.
According to the Yearn team, preliminary indications point to this being a highly sophisticated attack.
“Initial analysis indicated this hack has a similar high complexity level to the recent Balancer hack, so please bear with us as we perform the post-mortem analysis. There is no other Yearn product using similar code to what was impacted,” the team affirmed, seeking to reassure users of its core vaults.
Read more: Balancer Breach Tied to Batch Swap Rounding Bug; Investigation Ongoing
The team also stressed its commitment to taking security seriously and promised to integrate all lessons learned from the incident into its future protocol development. The team directed any users impacted by the event to open a support ticket on its Discord channel for assistance.
Meanwhile, in a later update, Yearn claimed to have recovered 857.49 pxETH (Dinero Staked ETH) valued at $2.39 million. The recovery was achieved with the assistance of the Plume and Dinero teams, who are associated with the institutional liquid staking token used in the affected pool.
FAQ 💡
- What happened to Yearn Finance? A custom yETH stableswap pool exploit caused about $9 million in losses on Nov. 30.
- Are Yearn’s main vaults affected? Yearn confirmed V2 and V3 vaults are safe and unrelated to the impacted contract.
- Which pools were targeted? The attack hit the yETH Stableswap Pool (~$8M) and the yETH-WETH Pool on Curve (~$0.9M).
- How is Yearn responding? A joint war room with SEAL911 and ChainSecurity is investigating this highly complex hack.
