Yearn Finance: A $9M Hack and the Aftermath

Yearn Finance, a well-known decentralized finance platform, faced another setback with a $9 million hack. This incident, the fifth in five years, targeted the yETH stableswap pool, extracting various ether (ETH) liquid staking tokens (LSTs). The hacker managed to steal a significant amount, but not all was lost. The issuer of 850 pxETH tokens, worth $2. 4 million, burned them, effectively reducing the hacker's loot. This action was taken after a warning message was sent to the hacker's address, cautioning about the risk of tokens being burned or blacklisted. The hack was made possible by a combination of a numerical bug and an invariant-management issue. The attacker exploited these vulnerabilities to mint a large number of yETH tokens, which were then used to withdraw the underlying LSTs. Interestingly, the hacker's address received two fake bounty offers, and a Yearn deployer address urged the attacker to open a communication channel to discuss terms constructively. This shows the lengths to which Yearn was willing to go to recover the stolen funds. The efficiency of the hack transaction was noted by an observer, who pointed out that it covered the entire attack flow, including deploying attack contracts, conducting the attack, and self-destructing the contracts. This is not the first time Yearn Finance has faced such issues. In 2023, a yUSDT vault lost $11 million after three years of activity. In 2021, a flash loan attack drained another $11 million from the DAI v1 vault, with the hacker profiting just $2. 8 million. Operational mistakes have also cost the Yearn treasury. A botched swap in December 2023 lost $1. 4 million, and the treasury covered a $25, 000 malfunction in the yUSND vault in September.