Decentralized finance protocol Yearn Finance has recovered $2.4 million of nearly $9 million stolen in a recent sophisticated cyberattack, underscoring ongoing security challenges for older DeFi systems.
The recovery represents over 25% of the total funds lost in the complex exploit. Yearn’s team confirmed the retrieval of these assets, which were taken from its legacy pools.
The attackers managed to drain approximately $9 million in tokens. The incident specifically impacted the Yearn Ether (yETH) stableswap pool and a smaller yETH-WETH pool within Curve Finance.
Investigators determined the attackers employed advanced methods, including self-destructing “helper” contracts. These contracts are designed to vanish after executing their function, making post-attack code analysis significantly more difficult.
The exploit stemmed from an unchecked arithmetic error and other design flaws. This vulnerability allowed the attacker to mint an effectively infinite quantity of yETH tokens.
These inflated tokens were then used to illicitly withdraw real liquidity. “The pattern of the exploited transactions is clear: after the enormous initial minting, sequential withdrawals are executed that move real assets to the attacker,” according to the forensic analysis.
Yearn Finance emphasized that the security breach was confined to these older, “legacy components” of its system. Its current V2 and V3 vaults were not affected by the exploit.
The protocol has pledged to return all recovered funds to the affected depositors, aiming to mitigate the financial impact for those harmed.
This marks the third time Yearn Finance has experienced an exploit since 2021. Such repeated incidents highlight persistent risks associated with established DeFi protocols.
To complicate tracing efforts, the attacker transferred at least 1,000 ETH and various liquid staking tokens to Tornado Cash, a cryptocurrency mixer known for enhancing anonymity.
Yearn is actively collaborating with specialized crypto cybersecurity firms, including SEAL 911 and ChainSecurity. It also worked with Plume Network, which assisted in recovering 857.49 pxETH.
Recovery efforts are ongoing, with Yearn’s team promising further updates as investigations progress. The incident underscores the continuous battle between DeFi protocols and determined attackers.