Yearn recovers $2.4 million in stolen assets stemming from ‘unchecked arithmetic’ bug
Yearn Finance recovered $2.4 million from a recent exploit caused by an 'unchecked arithmetic' bug in its legacy yETH stableswap pool.Summary
The Yearn Finance team has recovered approximately $2.4 million of the assets stolen during a recent exploit targeting its legacy DeFi protocol, with total estimated losses nearing $9 million. The Sunday attack exploited a vulnerability in the Yearn Ether (yETH) stableswap pool on Curve, similar in complexity to a recent Balancer hack. A post-mortem identified the root cause as an 'unchecked arithmetic' bug and other design flaws that allowed the attacker to mint a near-infinite amount of yETH tokens to drain liquidity. Yearn confirmed that the attack was targeted and does not affect its V2 or V3 vaults, and any recovered assets will be returned to affected depositors. The attacker moved at least 1,000 ETH and liquid staking tokens to Tornado Cash, but Yearn, with security partners, managed to recover 857.49 pxETH. The attack involved self-destructing 'helper contracts' to execute the complex, multi-step exploit.
(Source:The Block)