Scroll up
menu-icon
CryptoNews
Exchanges
Wallets
Guides
Blog
Contact
Ticker tape by TradingView
News / Crypto / Yearn Finance Hit by $9 Million Exploit After yETH Minting Vulnerability Exposed

Yearn Finance Hit by $9 Million Exploit After yETH Minting Vulnerability Exposed

Published: 01.12.2025 by Noirbull

TL;DR

Yearn Finance lost around $9 million in a sophisticated exploit that allowed attackers to mint unlimited yETH and drain a custom stETH/rETH liquidity pool. Over $3 million has already been mixed through Tornado Cash, while investigations are underway with SEAL911 and Chain Security.

Yearn Finance has been hit by a serious security incident that resulted in roughly $9 million in losses after attackers exploited a flaw in a legacy smart contract tied to the protocol’s yETH token. The vulnerability enabled the creation of unlimited yETH, which the attacker used to drain liquidity from a custom pool holding staked Ethereum assets.

The breach was first identified by on-chain security firm PeckShield, which reported that a critical weakness in the yETH token contract allowed unauthorized minting. This flaw let the attacker generate yETH without providing proper collateral, inflating supply and enabling them to siphon funds from a specialized pool outside Yearn’s primary vaults.

The targeted pool aggregated derivative assets such as stETH and rETH. Yearn clarified that other products, including the yUSND pool and Nerite vaults, were unaffected. Following the exploit, the attacker moved more than $3 million worth of ETH through Tornado Cash to obscure the trail, while approximately $6 million in staked Ethereum assets remain in the attacker’s wallet at the identified address.

Yearn confirmed the exploit on X, stating that $900,000 was taken from the yETH-WETH Curve pool and an additional $8 million from the affected custom pool. Users impacted by the incident have been advised to open support tickets via Discord.

A war room has been formed to handle the investigation, consisting of the SEAL911 rapid-response group and Chain Security. Early indications suggest the incident shares complexity with the recent Balancer exploit, where more than $120 million was drained due to an arithmetic precision bug within stable pool calculations. That flaw allowed attackers to manipulate swap pricing subtly over multiple operations executed in a single transaction.

The incident also lands shortly after Korean exchange Upbit suffered its own security breach, which resulted in a $50 million Ethereum loss, highlighting ongoing challenges across the DeFi and exchange ecosystem as attackers continue targeting smart contract vulnerabilities.

Feel free to share our work. Thank you!
Disclaimer: Content on this site, including news, blogs and reviews, is for informational purposes only and is not financial or investment advice. All transactions in cryptocurrencies, NFTs, digital assets, or Forex are at your own risk. We do not endorse or guarantee profits from any investments and may earn commissions through affiliate links.

Read Next