Yearn recovers $2.4 million in stolen assets stemming from 'unchecked arithmetic' bug

The Yearn Finance team has recovered approximately $2.4 million worth of stolen assets from the most recent exploit of the legacy DeFi protocol, as total estimated losses approach $9 million, according to an update on Monday. A coordinated recovery mission is “active and ongoing,” a post on X reads.

On Sunday, a vulnerability in the once-popular yield-farming protocol was exploited to drain assets from the Yearn Ether (yETH) stableswap pool and smaller yETH‑WETH pool on Curve. The attack, the third targeting Yearn since 2021, was of a “similar high complexity” to the recent Balancer hack, Yearn said. 

According to a post-mortem published on Monday, the “root cause” stems from an “unchecked arithmetic” bug and other “contributing design issues” that enabled the attacker to mint the 2.3544x10^56 yETH tokens  — a near infinite amount — used to drain liquidity from the protocol. 

“The actual exploit transactions follow this pattern: the huge mint is followed by a sequence of withdrawals that move real assets to the attacker, while the yETH token supply is effectively meaningless,” according to the postmortem. 

Yearn notes that the attack was targeted and should not impact its V2 or V3 vaults. “Any assets successfully recovered will be returned to affected depositors,” the team added. 

As The Block previously reported , the attacker was able to move at least 1,000 ETH and several liquid staking tokens to the Tornado Cash anonymizer. Yearn, together with crypto security firms SEAL 911 and ChainSecurity, worked with Plume network to recover 857.49 pxETH as of press time. 

BlockScout said that the hacker deployed self-destructing “helper contracts” as part of the attack. These code inserts are specialized auxiliary smart contracts that are used to perform automated tasks, and often abused during flash loan attacks that require multiple steps within a single transaction. 

The attacker, for instance, used a helper contract to manipulate the vulnerable yETH function, mint an absurd amount of tokens, and drain the protocol, before detonating itself. “Self-destruct removes bytecode, making the contract unreadable afterward, but creation transactions and logs are preserved,” Blockscout said.

"Initial analysis indicated this hack has a similar high complexity level to the recent Balancer hack, so please bear with us as we perform the post-mortem analysis," Yearn said on Sunday. "There is no other Yearn product using similar code to what was impacted."