Yearn Finance suspected of being attacked, Hacker has sent 1,000 ETH of stolen funds to Tornado Cash.

On December 1, the decentralized finance protocol Yearn Finance allegedly suffered an attack, as a hacker drained its liquidity pool by infinitely minting yETH.

According to security company PeckShield, the total loss from this attack amounts to approximately 9 million dollars.

Blockchain data shows that the attacker has transferred 1000 ETH (approximately 3 million USD) to the crypto mixer Tornado Cash, while the attacker's address currently still holds crypto assets worth approximately 6 million USD.

01 Event Overview: yETH pool was quickly drained

Yearn Finance's Yearn Ether (yETH) product suffered a serious attack on December 1st. This product is an index token that aggregates various popular liquidity staking tokens (LST).

The attacker exploited a carefully designed vulnerability to mint an almost unlimited amount of yETH tokens in a single transaction, quickly draining the entire liquidity pool.

According to blockchain data, this attack involved multiple newly deployed smart contracts, some of which self-destructed immediately after the transaction was completed, increasing the complexity of the event investigation.

After the attack, Yearn Finance issued a statement on platform X: “We are investigating the incident involving the yETH LST StableSwap pool, and Yearn's V2 and V3 vaults have not been affected.”

02 Attack Method: Infinite minting and fund transfer

According to user Togbe's monitoring, they discovered this unusual attack while monitoring large transfers.

Togbe explained: “The net transfer indicates that yETH has been over minted, which allows the attacker to somehow drain the liquidity pool and profit about 1,000 ETH.”

During the attack, some ETH was sacrificed for unknown reasons, but the attacker ultimately still profited.

After succeeding, the attacker transferred 1000 ETH (worth about 3 million dollars) into Tornado Cash, which is a decentralized privacy protocol often used to hide the flow of funds.

According to PeckShield data, the attacker's address currently still holds approximately 6 million dollars worth of crypto assets.

03 Tornado Cash: Privacy Tools and Money Laundering Controversy

Tornado Cash is a decentralized privacy protocol based on Ethereum that helps users conceal transaction information through zero-knowledge proof technology.

The protocol provides privacy protection for users by severing on-chain links between deposit and withdrawal addresses.

However, this privacy feature also makes it the preferred tool for hackers to launder money.

The U.S. Department of the Treasury included Tornado Cash on its sanctions list in August 2022, citing that since 2019, the hacker organization Lazarus has repeatedly used the platform for money laundering, involving amounts of up to hundreds of millions of dollars.

In March 2025, Tornado Cash was finally removed from the U.S. Treasury's sanctions list, which is seen as a significant victory for the blockchain industry.

04 The Security History of Yearn Finance

This is not the first time Yearn Finance has encountered a security incident.

In 2021, the protocol was attacked, affecting its yDAI vault, resulting in a loss of 11 million dollars, and the hacker ultimately profited 2.8 million dollars.

In December 2023, due to a script error, a vault position of the protocol experienced a 63% loss, but user funds were unaffected.

The founder of Yearn Finance, Andre Cronje, launched the project in 2020 but left two years later.

05 Market Impact and Overall Decline of Cryptocurrency

At the time of the attack, the cryptocurrency market is experiencing a significant decline.

On the morning of December 1st, Bitcoin once fell below $86,000, with a daily decline of over 5%; Ethereum also lost the $2,900 level.

Coinglass data shows that over the past 24 hours, the total liquidation of cryptocurrency contracts exceeded 500 million USD, with the number of liquidated individuals reaching 177,200.

The recent market downturn may be related to market rumors—there are reports that Federal Reserve Chairman Powell may resign, but mainstream foreign media have not reported this news, and analysts believe it is likely false information.

06 Industry Response and Future Outlook

Every hacker attack event raises questions about the security of DeFi.

In the Tornado Cash case, the U.S. Department of Justice filed criminal charges against Tornado Cash co-founders Roman Storm and Roman Semenov in August 2023, accusing them of conspiring to launder money, operating a money transfer business without a license, and violating sanctions regulations.

Industry organizations have expressed opposition, with Coin Center stating, “Viewing the development of open-source software as a crime is an oppression of technological innovation.”

For institutional investors, the Tornado Cash case indicates that regulators now require proactive compliance, rather than just adhering to counterparty identity verification.

Institutions need to implement real-time blockchain monitoring systems and combine automated sanction screening to identify and prevent problematic transactions before they occur.

Future Outlook

The blockchain security company PeckShield estimates that the total loss from this attack is approximately $9 million, of which about $3 million has been transferred to Tornado Cash, and the attacker's address still holds approximately $6 million in cryptocurrency assets.

As of the time of publication, the Yearn Finance team is still investigating the incident and has confirmed that its V2 and V3 vaults were not affected. This incident once again highlights the ongoing challenges faced by the DeFi space between security and regulatory compliance.