Yearn Finance has been hit by a sophisticated exploit centered on its legacy yETH product, resulting in an estimated loss of around $9 million. The attacker abused a critical “infinite mint” flaw in the yETH token’s design, allowing the creation of an astronomical supply of synthetic tokens that were quickly swapped for real assets across liquidity pools.​

Image Source: Yearn Finance

Infinite-Mint Bug

The incident unfolded on November 30 at roughly 21:11 UTC, when a malicious wallet interacted with an older yETH contract that bundled multiple Ethereum liquid staking tokens like stETH and rETH into a single index token. A logic flaw in the token’s minting mechanism meant the contract did not properly enforce collateral or supply limits, effectively turning it into a money printer for anyone who found the weakness.​ On-chain data shows the exploiter minted on the order of 235 trillion yETH in a single transaction. With this near-infinite stack of synthetic tokens in hand, the attacker targeted liquidity pools that paired yETH with valuable assets such as ETH and various liquid staking derivatives. By dumping the fake yETH into those pools, the exploiter systematically drained them of real tokens, including ETH, stETH, rETH, and other derivatives, until the pools were almost entirely emptied.​

Balancer Pools Drained

The first and hardest-hit venues were Balancer-based liquidity pools supporting yETH pairs. Before the attack, one of the main pools reportedly held close to $11 million in value; post-exploit, the majority of that liquidity had been stripped out in a single, highly optimized transaction sequence. Early estimates from multiple analytics and security firms converge on a realized loss figure in the $2.8–$3 million range for immediately stolen ETH alone, but broader tallies of drained assets across the affected pools push the total impact to around $9 million.​

Once the pools were emptied, the attacker began moving the proceeds. Blockchain monitoring services flagged roughly 1,000 ETH being funneled through Tornado Cash in batches, a well-known privacy mixer often used to obfuscate stolen funds. The wallet linked to the exploit still holds an estimated $6 million in various staked Ethereum derivatives and other tokens, indicating that a significant portion of the haul remains parked on-chain but difficult to claw back.​ Investigators also noted that several helper contracts used during the attack were deployed minutes before the minting transaction and self-destructed shortly afterward..​

Yearn’s Response

Yearn Finance’s team quickly acknowledged the incident, confirming that the vulnerability sat inside a legacy yETH token implementation rather than the protocol’s main vault infrastructure. They emphasized that active Yearn vaults and user positions on current products remained unaffected, framing the compromised contract as a custom, older design that did not share code paths with the flagship strategies.​ In the immediate aftermath, Yearn moved to isolate the affected yETH product and associated pools, coordinating with security partners and auditing firms to dissect the bug and prevent any repeat scenarios. At the time of writing, the team has not laid out a formal reimbursement or recovery plan for impacted liquidity providers, and investigations into the exploiter’s on-chain activity are ongoing.​

Market Context

News of the exploit landed just as the broader crypto market was heading into December, adding fresh anxiety to already fragile sentiment. Some market trackers linked a brief dip in major assets like Bitcoin and Ether to the headlines around the “Yearn incident,” as traders once again weighed the systemic risks posed by older, under-maintained DeFi contracts.​ For the DeFi sector, the attack is another stark reminder that dormant or “legacy” code paths can be just as dangerous as new, experimental features. The yETH bug did not arise from an exotic, cutting-edge mechanism but from a subtle misconfiguration in supply and collateral checks. As platforms mature, the pressure to comprehensively audit, deprecate, or harden their older products will only grow, especially when billions in total value locked sit a few lines of code away from catastrophe.