Veteran DeFi protocol Yearn Finance continues to be a target for hackers, having just recorded a new attack that caused approximately $300,000 in losses, raising further concerns about potential security risks from outdated code remaining in long-standing blockchain projects. Initial reports suggest the incident did not originate from the operational products themselves, but rather from a very old smart contract, implemented in 2020, when the project was still operating under the name iearn – the predecessor of today's Yearn Finance.
Notably, the Yearn team confirmed that all existing vaults of the protocol were unaffected, meaning users depositing assets in Yearn's core products remain safe. However, the attacker exploited a vulnerability in the old contract to withdraw funds and quickly swap the stolen assets for 103 ETH, demonstrating a high level of sophistication and speed in concealing the flow of funds on the chain.
This incident occurred less than a month after Yearn Finance also faced another serious attack related to its yETH pool, resulting in losses of approximately $9 million. Although the project team collaborated with multiple parties to trace and recover assets, only about $2.4 million has been recovered so far, less than one-third of the total loss. This chain of incidents has led the DeFi community to question the "time bombs" embedded in older contracts, implemented during the early stages of the market when security standards and audit processes were not as developed as they are today.
