In the rapid development wave of Web3 finance, security vulnerabilities hang over decentralized protocols like the sword of Damocles. Recently, the DeFi giant Yearn Finance's yETH product suffered a minting vulnerability attack, once again sounding the security alarm in the Web3 world. The attacker exploited a carefully designed vulnerability to successfully mint an unlimited amount of yETH tokens, draining the liquidity pool in a single transaction and profiting approximately 1,000 ETH (valued at about 3 million dollars at current prices). Some of the stolen funds have been transferred to the mixing protocol Tornado Cash, posing significant challenges for tracing. This developing news not only exposes the potential vulnerabilities of complex DeFi protocols but also profoundly reminds all Web3 participants of the extreme importance of security protection and code auditing.

1. Yearn yETH suffers "infinite minting" vulnerability attack, 3 million dollars in ETH stolen

The yield farming protocol Yearn Finance's yETH product encountered a minting vulnerability attack, where the attacker seemingly exploited the vulnerability to mint nearly unlimited amounts of yETH, draining the pool and profiting approximately 1,000 ETH (about 3 million dollars).

Attack Method: Blockchain data shows that the yETH liquidity pool was evidently emptied by a carefully designed exploit program, which minted nearly unlimited quantities of yETH tokens in a single transaction, thus draining the liquidity pool.

Stolen Assets and Transfer: This attack resulted in 1,000 ETH (valued at about 3 million dollars at current prices) being sent to the mixing protocol Tornado Cash. The use of the mixing protocol makes tracing the funds exceptionally difficult.

Complexity of the Attack: Blockchain data indicates that this attack seems to involve multiple newly deployed smart contracts, some of which self-destructed after the transaction was completed, further complicating the investigation.

Potential Losses: The total amount of losses is currently unclear, but the value of the yETH liquidity pool before the attack was approximately 11 million dollars.

2. Yearn Finance's Emergency Response: Investigation ongoing, V2 and V3 Vaults unaffected

The Yearn Finance team quickly responded to the incident and updated the community on the latest situation.

Official Announcement: Yearn wrote on X: "We are investigating an incident involving the yETH LST stablecoin pool. Yearn Vaults (including V2 and V3) are unaffected."

Discovery by Togbe: The hack was first discovered by X user Togbe. Togbe noticed this obvious attack while monitoring large transfers. "Net transfer data shows that the yETH super minting allowed the attacker to drain the liquidity pool, profiting about 1,000 ETH," Togbe wrote in a message. "While other ETH was sacrificed, they still made a profit."

3. yETH: Liquidity Staking Token Aggregator and Potential Risks

Yearn Ether (yETH) is a product under Yearn Finance, designed to aggregate popular LSTs (liquidity staking tokens) into a single token.

Function: yETH aggregates popular LSTs into a single token, allowing users to earn from multiple LSTs through a single entry point.

Potential Risks: The complex mechanism of aggregating multiple LSTs may introduce more potential vulnerabilities at the smart contract level, increasing the risk of being attacked.

4. Yearn Finance's "Dark History": Repeatedly targeted by attacks

This is not the first time Yearn Finance has faced a security incident.

2021 Attack: In 2021, Yearn Finance suffered a cyber attack, resulting in a loss of 11 million dollars from its yDAI vault, with hackers stealing 2.8 million dollars.

2023 Faulty Script: In December 2023, the protocol reported that a faulty script caused a 63% loss in one of its vault positions, but user funds were unaffected.

Founder's Departure: Yearn's founder, Andre Cronje, established the project in 2020 and left the project two years later.

5. Web3 Security Alarm Rings Again: Potential Vulnerabilities of Complex Protocols

The Yearn Finance yETH minting vulnerability attack once again rings the alarm for security in the Web3 space.

Complexity of Smart Contracts: Complex DeFi protocols, especially those aggregating multiple tokens and derivatives, may have hard-to-detect vulnerabilities in their smart contract code.

Challenges of Auditing and Testing: Even after multiple audits and tests, it is difficult to completely eliminate all potential vulnerabilities, especially in system interactions and extreme scenarios.

Threat of Mixing Protocols: The use of mixing protocols like Tornado Cash makes tracing and freezing stolen funds exceptionally difficult, increasing the challenge of combating crypto crime.

Conclusion:

The Yearn Finance yETH minting vulnerability attack, resulting in 3 million dollars in ETH stolen and transferred to Tornado Cash, is a significant security incident that has recently occurred in the Web3 space. This not only highlights the potential vulnerabilities of complex DeFi protocols but also profoundly reminds all Web3 participants of the extreme importance of security protection and code auditing. In the rapid development wave of Web3 finance, finding a balance between innovation and security will be a severe challenge that all project teams must face.

Related: Telegram founder Durov announces: Cocoon decentralized AI network has officially launched

Original: “DeFi giant Yearn Finance hit by minting exploit, 3 million dollars in yETH stolen”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。