An 'infinite-mint' attack hit Yearn Finance's yETH, draining 2.8 million from Balancer pools and triggering an abnormal market reaction on the YFI token.
Yearn Finance confirmed an active exploit that affected its yETH product late Sunday evening. The incident took place after an attacker managed to mint an effectively unlimited amount of yETH, consequently draining liquidity from Balancer's pools.
The incident triggered intense on-chain movement, including multiple 100 ETH transactions routed through Tornado Cash.
The 'Infinite-Mint' Attack and Liquidity Drainage
According to blockchain data, the exploit occurred around 21:11 UTC on 30 November, when a malicious wallet executed an attack known as "infinite-mint". With a single transaction, the attacker created the huge sum of approximately 235 trillion yETH.
Nansen's alert system later confirmed the attack and identified the event as an 'infinite-mint' vulnerability in the yETH token contract, and not in Yearn's Vault infrastructure. By exploiting the newly minted yETH pool, the attacker was able to drain real assets - mainly ETH and Liquid Staking Tokens (LSTs) - from Balancer's liquidity pools. Early estimates suggest that assets with a total value of around $2.8 million were siphoned off.
Some other Balancer-related moves appear to be an exploit, considering the heavy interactions with Tornado. Togbe has said on X that Yearn, Rocket Pool, Origin, Dinero and other LSTs are involved.
The Unhit Systems and the Post-Attack Recycling
Some 1.000 ETH were transferred and 'recycled' through Tornado Cash. The attacker showed meticulous planning, employing several helper contracts that were deployed minutes before the incident and self-destructed soon after to obscure the transaction path.
Yearn wanted to reassure the community, stating that its V2 and V3 Vaults were not affected by the attack. The vulnerability, as previously noted, appears to be limited to the older yETH implementation only. Despite the incident, the Total Locked Value (TVL) of the protocol remains above $600 million, according to CoinGecko, suggesting that core systems and core funds have not been compromised.
The Strange 'Short Squeeze' of the YFI Token
The market reaction created an unexpected anomaly. Immediately after the exploit was reported on social media, the price of Yearn's governance token, YFI, rose sharply, soaring from around $4,080 to over $4,160 in less than an hour.
This anomalous surge appears to be due to a misinterpretation of the market in the first moments of the incident. Initial, and generic, reports of a "Yearn's exploit" prompted traders to open highly leveraged short positions on YFI. Since the attack was isolated to yETH and had not affected the major Vaults, short-sellers quickly began hedging their positions.
This forced closure triggered a short squeeze and a subsequent volatility-driven price surge. With a circulating supply of only 33,984 tokens, YFI is one of DeFi's least liquid governance assets, a structure that greatly amplifies price movements.
For the time being, the losses appear to be confined to the yETH and Balancer pools affected by the exploit. Investigations are still ongoing, and it is unclear whether recovery options exist for the stolen assets. Markets await a formal disclosure from Yearn detailing the root cause, patching efforts and potential governance actions.
Eleven Drainer, a new phishing-as-a-service, is expanding its business. Despite the sophistication of the attacks, human error remains the main weakness. The defence lies in user discipline.
Yearn Finance confirmed an active exploit that affected its yETH product late Sunday evening. The incident took place after an attacker managed to mint an effectively unlimited amount of yETH, consequently draining liquidity from Balancer's pools.
The incident triggered intense on-chain movement, including multiple 100 ETH transactions routed through Tornado Cash.
The 'Infinite-Mint' Attack and Liquidity Drainage
According to blockchain data, the exploit occurred around 21:11 UTC on 30 November, when a malicious wallet executed an attack known as "infinite-mint". With a single transaction, the attacker created the huge sum of approximately 235 trillion yETH.
Nansen's alert system later confirmed the attack and identified the event as an 'infinite-mint' vulnerability in the yETH token contract, and not in Yearn's Vault infrastructure. By exploiting the newly minted yETH pool, the attacker was able to drain real assets - mainly ETH and Liquid Staking Tokens (LSTs) - from Balancer's liquidity pools. Early estimates suggest that assets with a total value of around $2.8 million were siphoned off.
The Unhit Systems and the Post-Attack Recycling
Some 1.000 ETH were transferred and 'recycled' through Tornado Cash. The attacker showed meticulous planning, employing several helper contracts that were deployed minutes before the incident and self-destructed soon after to obscure the transaction path.
Yearn wanted to reassure the community, stating that its V2 and V3 Vaults were not affected by the attack. The vulnerability, as previously noted, appears to be limited to the older yETH implementation only. Despite the incident, the Total Locked Value (TVL) of the protocol remains above $600 million, according to CoinGecko, suggesting that core systems and core funds have not been compromised.
The Strange 'Short Squeeze' of the YFI Token
The market reaction created an unexpected anomaly. Immediately after the exploit was reported on social media, the price of Yearn's governance token, YFI, rose sharply, soaring from around $4,080 to over $4,160 in less than an hour.
This anomalous surge appears to be due to a misinterpretation of the market in the first moments of the incident. Initial, and generic, reports of a "Yearn's exploit" prompted traders to open highly leveraged short positions on YFI. Since the attack was isolated to yETH and had not affected the major Vaults, short-sellers quickly began hedging their positions.
This forced closure triggered a short squeeze and a subsequent volatility-driven price surge. With a circulating supply of only 33,984 tokens, YFI is one of DeFi's least liquid governance assets, a structure that greatly amplifies price movements.
For the time being, the losses appear to be confined to the yETH and Balancer pools affected by the exploit. Investigations are still ongoing, and it is unclear whether recovery options exist for the stolen assets. Markets await a formal disclosure from Yearn detailing the root cause, patching efforts and potential governance actions.
Read Next
32 Million Upbit Hack: Token Solana to Stars on the Korean Market!
Upbit suspends deposits and withdrawals after a hacker attack that embezzled 32 million in Solana tokens, causing heavy premiums in the Korean market.
UK crypto heist: convictions and self-custody risk
A heist of more than 4.3 million in cryptocurrencies in the UK calls into question the security of self-custody and the risks of the human factor.
Crypto Clash: Beijing Blames US for LuBian's 127,000 BTC Bitcoin Exploit
China accuses Washington of 'draining' 127,000 BTC from LuBian in 2020. Researchers link the exploit to a flaw in key generation.
New Eleven Drainer attack: threat to crypto wallets
Eleven Drainer, a new phishing-as-a-service, is expanding its business. Despite the sophistication of the attacks, human error remains the main weakness. The defence lies in user discipline.