In a major blow to the decentralized finance (DeFi) world, Yearn Finance has confirmed it lost approximately US$9 million. This occurred after an attacker exploited a severe vulnerability in its legacy yETH product. The attack, which took place on November 30, 2025, drained the entire yETH liquidity pool in a single transaction.
How the Exploit Worked
yETH is a liquid-staking index token that bundles several staking derivatives, such as stETH and rETH, into a single asset. It gives users exposure to staked ETH via one simplified token.
According to on-chain analysis, the attacker leveraged a critical “infinite-mint” flaw in the yETH smart contract. The bug allowed minting of a near-unlimited number of yETH tokens without requiring the proper collateral or supply checks.
Once the attacker minted these synthetic yETH tokens, they were immediately swapped for real ETH and other liquid staking derivatives. These assets were drawn from Yearn’s liquidity pools. This single transaction drained around $8 million from the custom stableswap pool. It also took another $0.9 million from the yETH–WETH pool, according to Yearn’s internal breakdown.
Laundering the Stolen Funds
Blockchain data traced the attacker’s subsequent moves. Approximately 1,000 ETH (worth about $3 million) was transferred into Tornado Cash. Tornado Cash is a decentralized mixer widely used to obfuscate fund trails.
Another estimated $6 million remains in the attacker’s wallet, held in a variety of staking derivatives and liquidity tokens.
What Yearn Finance Says
In response, Yearn publicly stated that the compromised contract belongs to a legacy yETH pool. Notably, its core Vaults (V2 and V3) remain unaffected by the exploit.
The protocol is reportedly collaborating with security firms to conduct a full post-mortem examination and patch the vulnerability.
Wider Impact: DeFi Risk Spotlight
The breach has rippled across the crypto market. Major tokens, including Bitcoin (BTC) and Ethereum (ETH), saw sharp price declines. This happened on Monday as investors reacted to shaken confidence in DeFi infrastructure.
Industry analysts warn that the incident underscores how even audited protocols remain vulnerable. This occurs when legacy code or complex smart-contract logic is involved. As one report put it, this is “a case study in smart contract vulnerabilities.”
Why This Matters
- Smart contract risk: A single logic flaw, the “infinite-mint” bug, turned yETH into a literal money-printer that siphoned real assets.
- Legacy code danger: The exploit targeted a legacy contract outside Yearn’s main vaults. It shows that older components can become critical weak points.
- DeFi traceability issues: Use of Tornado Cash for laundering amplifies challenges in tracking and potentially recovering stolen funds.
- Eroded trust in DeFi platforms: As major protocols suffer repeated losses, retail and institutional investors may grow more cautious. They could be wary about staking funds in DeFi.
FAQ
Q: What is yETH, and how is it different from ETH?
A: yETH is not the native Ethereum token. Rather, it’s an index token offered by Yearn Finance that bundles multiple liquid staking derivatives (e.g., stETH, rETH). It allows investors to hold a diversified staking position via a single token rather than managing multiple staking assets individually.
Q: How did the attacker drain $9 million from Yearn?
A: The attacker exploited a bug in the yETH smart contract that allowed “infinite-minting” of yETH tokens. This effectively created synthetic tokens out of thin air without collateral. Those fake tokens were then swapped for real assets (ETH and staking derivatives). Thus, the liquidity pools were drained in a single transaction.
Q: What happened to the stolen funds?
A: On-chain data shows the attacker transferred about 1,000 ETH (~$3 million) to Tornado Cash. Tornado Cash is a mixer used to obfuscate cryptocurrency transactions. The remaining funds, roughly $6 million in various ETH staking derivatives and liquidity tokens, appear to reside in the attacker’s wallet.
Q: Are all Yearn Finance products compromised?
A: No. According to Yearn Finance, only the legacy yETH liquidity-pool contract was affected. Its core Vaults, V2 and V3, remain secure and were not impacted by this exploit.
Q: What does this incident mean for DeFi security and investors?
A: The exploit highlights that even well-known, audited protocols can harbor hidden vulnerabilities, especially in legacy code. For investors, it underscores the importance of due diligence, diversification, and awareness of smart contract risks. It also reignites calls for more robust audits and security standards across DeFi platforms.
