On December 1, decentralized finance protocol Yearn Finance reportedly suffered an attack, with hackers draining its liquidity pool by minting an unlimited supply of yETH.
According to security firm PeckShield, the total losses from this incident are estimated at around $9 million.
Blockchain data shows the attacker has already transferred 1,000 ETH (approximately $3 million) to the crypto mixer Tornado Cash, while the attacker’s address still holds about $6 million worth of crypto assets.
01 Incident Overview: yETH Pool Drained Rapidly
On December 1, Yearn Finance’s Yearn Ether (yETH) product suffered a major attack. This product is an index token aggregating several popular liquid staking tokens (LSTs).
The attacker exploited a carefully crafted vulnerability to mint nearly unlimited yETH tokens in a single transaction, quickly draining the entire liquidity pool.
Blockchain data indicates the attack involved several newly deployed smart contracts, some of which self-destructed immediately after the transaction, complicating the investigation.
After the incident, Yearn Finance released a statement on X: "We are investigating the event involving the yETH LST StableSwap pool. Yearn’s V2 and V3 vaults are unaffected."
02 Attack Method: Unlimited Minting and Fund Transfers
According to X user Togbe, the attack was detected while monitoring large transfers.
Togbe explained, "Net transfers show yETH was over-minted, allowing the attacker to somehow drain the pool and profit by about 1,000 ETH."
During the attack, some ETH was lost for unknown reasons, but the attacker ultimately still profited.
After securing the funds, the attacker transferred 1,000 ETH (worth about $3 million) into Tornado Cash—a decentralized privacy protocol often used to obscure the flow of funds.
PeckShield data shows the attacker’s address still holds approximately $6 million in crypto assets.
03 Tornado Cash: Privacy Tool and Money Laundering Controversy
Tornado Cash is an Ethereum-based decentralized privacy protocol that uses zero-knowledge proof technology to help users conceal transaction details.
The protocol provides privacy protection by severing on-chain links between deposit and withdrawal addresses.
However, this privacy feature has also made Tornado Cash a preferred tool for hackers seeking to launder funds.
In August 2022, the US Treasury added Tornado Cash to its sanctions list, citing that the Lazarus hacker group had used the platform for laundering hundreds of millions of dollars since 2019.
In March 2025, Tornado Cash was finally removed from the Treasury’s sanctions list—a development seen as a major victory for the blockchain industry.
04 Yearn Finance’s Security Track Record
This is not the first time Yearn Finance has experienced a security incident.
In 2021, the protocol suffered an attack affecting its yDAI vault, resulting in $11 million in losses, with hackers ultimately profiting $2.8 million.
In December 2023, a script error caused a 63% loss in one vault position, though user funds were not affected.
Yearn Finance was launched in 2020 by founder Andre Cronje, who left the project two years later.
05 Market Impact and Broader Crypto Downturn
The attack occurred during a sharp downturn in the cryptocurrency market.
On the morning of December 1, Bitcoin briefly fell below $86,000, dropping more than 5% in a single day; Ethereum also lost its grip on the $2,900 level.
According to Coinglass data, over $500 million in crypto contracts were liquidated across the network in 24 hours, affecting 177,200 traders.
This market decline may be linked to rumors that Federal Reserve Chair Jerome Powell could resign, though mainstream foreign media have not reported this, and analysts believe the rumor is likely false.
06 Industry Response and Future Outlook
Every hacking incident raises new questions about DeFi security.
In the Tornado Cash case, the US Department of Justice filed criminal charges in August 2023 against co-founders Roman Storm and Roman Semenov, accusing them of conspiracy to launder money, operating an unlicensed money transmission business, and violating sanctions regulations.
Industry organizations have pushed back, with Coin Center stating, "Treating open-source software development as a crime is a blow to technological innovation."
For institutional investors, the Tornado Cash case shows that regulators now expect proactive compliance, not just counterparty identity verification.
Institutions need to implement real-time blockchain monitoring systems combined with automated sanctions screening to identify and block problematic transactions before they occur.
Outlook
Blockchain security firm PeckShield estimates total losses from this attack at about $9 million, with roughly $3 million already moved to Tornado Cash and about $6 million in crypto assets still held by the attacker’s address.
As of press time, the Yearn Finance team continues to investigate the incident and has confirmed its V2 and V3 vaults remain unaffected. This event once again highlights the ongoing challenges DeFi faces in balancing security and regulatory compliance.
