The #yETH attack was a sophisticated exploit that drained roughly $9 million from Yearn Finance’s yETH pool.
Impact: The yETH pool was hit, while V2 and V3 vaults stayed safe; the stolen funds were laundered through Tornado Cash.
Attack: A custom contract minted 235 septillion yETH, swapped it for real assets and emptied the pool.
Vulnerability: A flaw in the yETH smart‑contract’s rate‑update mechanism let the attacker mint unlimited yETH.
The exploit relied on state poisoning, manipulating the protocol’s internal accounting to create a discrepancy that enabled the massive mint.
