In a major blow to the decentralized finance (DeFi) world, Yearn Finance has confirmed it lost approximately US$9 million. This occurred after an attacker exploited a severe vulnerability in its legacy yETH product. The attack, which took place on November 30, 2025, drained the entire yETH liquidity pool in a single transaction.
yETH is a liquid-staking index token that bundles several staking derivatives, such as stETH and rETH, into a single asset. It gives users exposure to staked ETH via one simplified token.
According to on-chain analysis, the attacker leveraged a critical “infinite-mint” flaw in the yETH smart contract. The bug allowed minting of a near-unlimited number of yETH tokens without requiring the proper collateral or supply checks.
Once the attacker minted these synthetic yETH tokens, they were immediately swapped for real ETH and other liquid staking derivatives. These assets were drawn from Yearn’s liquidity pools. This single transaction drained around $8 million from the custom stableswap pool. It also took another $0.9 million from the yETH–WETH pool, according to Yearn’s internal breakdown.
Blockchain data traced the attacker’s subsequent moves. Approximately 1,000 ETH (worth about $3 million) was transferred into Tornado Cash. Tornado Cash is a decentralized mixer widely used to obfuscate fund trails.
Another estimated $6 million remains in the attacker’s wallet, held in a variety of staking derivatives and liquidity tokens.
In response, Yearn publicly stated that the compromised contract belongs to a legacy yETH pool. Notably, its core Vaults (V2 and V3) remain unaffected by the exploit.
The protocol is reportedly collaborating with security firms to conduct a full post-mortem examination and patch the vulnerability.
The breach has rippled across the crypto market. Major tokens, including Bitcoin (BTC) and Ethereum (ETH), saw sharp price declines. This happened on Monday as investors reacted to shaken confidence in DeFi infrastructure.
Industry analysts warn that the incident underscores how even audited protocols remain vulnerable. This occurs when legacy code or complex smart-contract logic is involved. As one report put it, this is “a case study in smart contract vulnerabilities.”
Q: What is yETH, and how is it different from ETH?
A: yETH is not the native Ethereum token. Rather, it’s an index token offered by Yearn Finance that bundles multiple liquid staking derivatives (e.g., stETH, rETH). It allows investors to hold a diversified staking position via a single token rather than managing multiple staking assets individually.
Q: How did the attacker drain $9 million from Yearn?
A: The attacker exploited a bug in the yETH smart contract that allowed “infinite-minting” of yETH tokens. This effectively created synthetic tokens out of thin air without collateral. Those fake tokens were then swapped for real assets (ETH and staking derivatives). Thus, the liquidity pools were drained in a single transaction.
Q: What happened to the stolen funds?
A: On-chain data shows the attacker transferred about 1,000 ETH (~$3 million) to Tornado Cash. Tornado Cash is a mixer used to obfuscate cryptocurrency transactions. The remaining funds, roughly $6 million in various ETH staking derivatives and liquidity tokens, appear to reside in the attacker’s wallet.
Q: Are all Yearn Finance products compromised?
A: No. According to Yearn Finance, only the legacy yETH liquidity-pool contract was affected. Its core Vaults, V2 and V3, remain secure and were not impacted by this exploit.
Q: What does this incident mean for DeFi security and investors?
A: The exploit highlights that even well-known, audited protocols can harbor hidden vulnerabilities, especially in legacy code. For investors, it underscores the importance of due diligence, diversification, and awareness of smart contract risks. It also reignites calls for more robust audits and security standards across DeFi platforms.
The crypto market has delivered yet another reminder that "decentralized" doesn't always mean "secure." This…
The long-awaited Pump (PUMP) airdrop finally landed in eligible wallets, and many recipients did exactly…
The crypto industry has a remarkable talent for turning simple ideas into complicated acronyms. The…
The memecoin market is once again proving that crypto traders can generate a week of…
If there's one thing guaranteed to send Crypto Twitter into detective mode, it's a giant…
The crypto market never runs out of creative ideas. One day it's dog coins, the…
This website uses cookies.