Yearn Finance hit by fourth exploit as attacker drains legacy v1 vault

Yearn Finance suffers its fourth exploit as a flash loan attack drains a legacy v1 vault, underscoring ongoing risks from outdated DeFi contracts and price manipulation tactics.​

Summary

• PeckShield reports an attacker used flash loans to manipulate prices in a deprecated Yearn v1 (iearn) vault, withdraw assets and convert them into another token.​
• The hit follows a separate $9 million yETH exploit earlier this month and prior hacks in 2023 and 2021, despite multiple audits on the protocol’s contracts.​
• Yearn says it is reviewing active contracts, boosting security checks and warning users to be cautious with older v1 vaults as flash loan attacks keep targeting legacy DeFi code.

Yearn Finance, a decentralized finance protocol, has experienced its fourth security exploit in recent weeks, according to blockchain security firm PeckShield.

The latest attack targeted a legacy Yearn v1 smart contract, formerly known as iearn, resulting in reported losses, the company stated. The incident follows a previous exploit reported in November.

Yearn finance unveils attacker flash loan strategy

The attacker utilized a flash loan to manipulate token prices within the affected vault, according to PeckShield’s analysis. The perpetrator withdrew iearn assets and converted them into another cryptocurrency, the security firm reported. The compromised contract is part of Yearn v1 and has not received updates for several years, according to protocol documentation.

Flash loans enable borrowers to obtain large amounts of cryptocurrency without collateral, allowing attackers to manipulate prices and withdraw assets rapidly, according to blockchain security experts.

Yearn Finance has experienced four security breaches in recent years. In November, the protocol suffered an infinite mint exploit, according to reports. In 2023, Yearn experienced another hack and a separate incident connected to Euler Finance, industry sources stated. In 2021, a similar exploit resulted in significant losses, according to protocol records.

Each attack has employed complex methods including flash loans and price manipulation, according to security analyses. Security audits have been performed on the protocol, though legacy contracts remain exposed to potential vulnerabilities, according to blockchain security firms.

Yearn Finance is reviewing all active contracts for weaknesses, the protocol announced. PeckShield and other blockchain monitoring services tracked the exploit immediately and urged users to verify balances and secure potentially vulnerable funds.

The protocol team has not provided public details regarding recovery plans. Yearn Finance continues examining remaining v1 contracts for vulnerabilities and has recommended caution when interacting with older vaults, according to a protocol statement.

Security audits and checks are being increased to prevent further losses, the company stated. Flash loan attacks continue to present risks for legacy decentralized finance protocols, according to industry security assessments.