ExchangeDEX+

Buy Crypto Markets Spot FuturesBTC Earn Event Center

Yearn Finance is dealing with a fresh security breach after an attacker exploited its yETH token contract and drained millions in ETH and liquid staking assets from Balancer pools. The incident unfolded late on Nov. 30 when an attacker triggered…Yearn Finance is dealing with a fresh security breach after an attacker exploited its yETH token contract and drained millions in ETH and liquid staking assets from Balancer pools. The incident unfolded late on Nov. 30 when an attacker triggered…

Yearn Finance hit by yETH exploit with $3M sent to Tornado Cash

2025/12/01 11:15

Yearn Finance is dealing with a fresh security breach after an attacker exploited its yETH token contract and drained millions in ETH and liquid staking assets from Balancer pools.

Summary

The exploit targeted an older yETH contract, allowing the attacker to mint an unlimited supply of tokens and empty the Balancer pool.
Around 1,000 ETH moved through Tornado Cash shortly after the attack, with more assets still held across the attacker’s wallets.
Yearn confirmed the issue is isolated from its V2 and V3 Vaults and is preparing a detailed report on the incident.

The incident unfolded late on Nov. 30 when an attacker triggered an infinite-mint flaw inside the yETH contract. They then minted an impossibly large supply of yETH, more than 235 trillion tokens, in a single transaction.

With those tokens, the attacker moved quickly through Balancer pools, removing real assets, including ETH and popular staking derivatives. Initial traces show close to $3 million flowing through Tornado Cash shortly after the exploit, while the attacker’s address still holds additional assets tied to the event.

Exploit isolated to legacy yETH product

Blockchain data shows the yETH stableswap pool was emptied within minutes, leaving a roughly $2.8 million hole. Yearn Finance(YFI) said the issue sits within an older implementation of yETH and does not touch its V2 or V3 Vaults. Protocols built on Yearn V3, including Katana, also reported no exposure.

Several helper contracts appeared just moments before the attack and vanished through self-destruct calls once the pool was drained, making the trail harder to follow.

Security teams reviewing the transactions, including auditors tracking Yearn’s older products, linked the event to a long-standing minting weakness inside the yETH token logic, rather than a problem in Yearn’s current vault architecture.

The protocol maintains a live bug bounty program with rewards reaching $200,000 for critical discoveries, though no recovery path has been announced yet.

On-chain movement intensifies after liquidity drain

Soon after the pool collapsed, X user Togbo flagged several movements of 100 ETH batches passing through Tornado Cash. Around 1,000 ETH in total was mixed in the hours following the exploit. The attacker still retains additional assets worth several million dollars across multiple wallets.

The yETH pool carried roughly $11 million before the breach, and while the final loss number is still under review, Yearn said user funds inside active vaults remain safe.

This incident adds to the protocol’s long record of managing legacy risks, coming years after its 2021 yDAI exploit and a 2023 treasury misconfiguration that did not affect depositors. YFI slipped about 4% after the event and traded near $4,002 at press time.

Market Opportunity

TokenFi Price(TOKEN)

$0.004746

$0.004746$0.004746

-3.57%

USD

TokenFi (TOKEN) Live Price Chart

Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact [email protected] for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.