Yearn Finance Exploit Results in $9M Loss Through Fake yETH Tokens

Yearn Finance experienced an exploit on its legacy yETH product, resulting in the minting of fake tokens and a subsequent loss of approximately $9 million.

The attacker exploited a flaw in the yETH minting logic to create about 235 trillion fake yETH tokens.
These tokens were exchanged for real assets from Balancer and Curve liquidity pools, draining them rapidly.
Approximately $8 million was taken from the main yETH stable-swap pool, and $0.9 million from a yETH–WETH pool.
About 1,000 ETH, valued at around $3 million, was sent to Tornado Cash to obscure the transaction trail.

The breach specifically affected an older version of the yETH product and did not impact Yearn’s V2 and V3 vaults.

Yearn Finance has isolated the affected pool and is collaborating with external security teams for investigation and patching the vulnerability. Market reactions included increased selling pressure due to concerns over liquid staking tokens combined with custom swap code.