Yearn Finance has experienced its second security incident this month, with total losses in December now exceeding $9 million, according to on-chain data and security analysts.
iEarn V1 Contract Exploited
Blockchain security firm PeckShield reported on X that YearnFinanceV1 was exploited overnight, resulting in losses of approximately $300,000. The attacker swapped the stolen assets for 103 ETH, which were later transferred to the address 0x0F21…4066, PeckShield noted.
According to investigators, the exploit targeted a vulnerability in the immutable iEarn TUSD contract, a legacy component of the protocol.
Yearn Team Confirms Limited Impact
In response, the Yearn team acknowledged the issue and emphasized that the exploit does not affect current Yearn vaults or contracts.
“We’re aware of an issue with iEarn’s immutable TUSD contract, deployed over 2100 days ago, unrelated to Yearn vaults.”
The team added that the issue is isolated to iEarn and does not pose a risk to users interacting with active Yearn products.
Attack Method Mirrors 2023 Incident
X user William Li said the exploit was likely caused by another configuration issue. According to technical details shared, the attacker used flash loans to manipulate the Yearn TUSD vault’s share price by cycling TUSD and sUSD through Fulcrum, triggering a rebalance and collapsing the vault’s valuation. The attacker then sold near-free Yearn TUSD shares on Curve pools to extract profit. Analysts noted the exploit relied on price manipulation rather than a direct fund drain.
Earlier December Hack Drained $9 Million
The latest incident follows a separate exploit earlier this month, when Yearn Finance suffered a major attack targeting its yETH index pool, a product that aggregates multiple liquid staking tokens into a single asset.
At the time, attackers exploited a vulnerability that allowed them to drain the pool in a single transaction. Yearn later confirmed that total losses from that attack amounted to $9 million, including:
– $8 million from a stablecoin pool
– $900,000 from the yETH–WETH pool
Security Concerns Around Legacy Contracts
While Yearn maintains that current vaults remain secure, the repeated incidents have renewed attention on legacy and immutable contracts still connected to long-running DeFi protocols.
