Points of Focus 

• $9 million drained from Yearn’s legacy yETH pools in an infinite-mint exploit.  
• $3 million in ETH sent to Tornado Cash, with remaining funds still under observation.  
• Core Yearn vaults are unaffected; the incident is isolated to discontinued product.

Yearn Finance confirmed Sunday that an attacker exploited a vulnerability in its legacy yETH liquid-staking pool, draining approximately $9 million in assets in a single transaction. Roughly one-third of the stolen funds ($3 million in ETH) were immediately routed through the sanctioned mixer Tornado Cash.

The breach first surfaced around 4 p.m. ET when on-chain monitoring accounts flagged unusual minting activity in the yETH stableswap pool. X user Togbe was the first to post about it on X, posting a screenshot alongside the caption “some other balancer-related stuff looking like an exploit considering heavy interactions with tornado.”

some other balancer related stuff looking like an exploit considering heavy interactions with tornado

yearn, rocket pool, origin, dinero and other LST going around pic.twitter.com/wUuexeQJyg

— Togbe (@Togbe0x) November 30, 2025

Security researchers later determined the attacker used a complex infinite-mint technique to generate trillions of yETH tokens, which were then swapped for ETH and other liquid-staking derivatives via integrated Balancer and Curve pools.

Yearn issued a statement on X shortly after detection, confirming the attack: “The exploit is contained to the legacy yETH LST stableswap pool and the yETH-WETH Curve pool. Yearn V2 and V3 vaults are unaffected.” 

We are investigating an incident involving the yETH LST stableswap pool.

Yearn Vaults (both V2 and V3) are not affected.

— yearn (@yearnfi) November 30, 2025

In an updated announcement on Sunday, November 30, 2025, Yearn X confirmed the $11 loss, informing the public that a full post-mortem investigation had been set in motion, in partnership with ChainSecurity and SEAL 911. 

At 21:11 UTC on Nov 30, an incident occurred involving the yETH stableswap pool that resulted in the minting of a large amount of yETH. The contract impacted is a custom version of popular stableswap code, unrelated to other Yearn products. Yearn V2/V3 vaults are not at risk.

— yearn (@yearnfi) December 1, 2025

They also confirmed that no user funds in active vaults were touched, but the yETH pool, which is valued at $11 million pre-attack, left affected LPs exposed, prompting short positions on YFI that briefly dropped 4.4% to $3,956.

PeckShield and Nansen analysts estimate the net loss at $8 million from the stableswap pool and $900,000 from the Curve pair. The attacker subsequently destroyed several exploit contracts, a common tactic to hinder tracing.

Yearn Finance’s security record had stayed remarkably clean for almost four years after its last big exploit in 2021, when an attacker stole $11 million from the yDAI vault. Yearn later recovered or reimbursed most of it, so the net loss to users was $2.8 million.

The attack bears technical similarities to last month’s $116 million Balancer cross-chain attack, showing potential risks in older DeFi codebases. These string of attacks have reignited DeFi security debates in a fragile market. As Ethereum eyes Prague upgrades for better security, the incident presses protocols to deprecate outdated contracts faster.

Ethereum traded at $2,927 on December 1, 2025.