Exploit Details and Initial Impact
Yearn Finance is addressing a new security breach that occurred due to an attacker exploiting a long-standing flaw in its legacy yETH token contract. On November 30, the exploiter triggered an infinite-mint vulnerability, enabling them to generate over 235 trillion yETH tokens in a single transaction, a supply far exceeding its intended amount.
We are investigating an incident involving the yETH LST stableswap pool.
Yearn Vaults (both V2 and V3) are not affected.
— yearn (@yearnfi) November 30, 2025
With this massive token batch, the attacker proceeded to drain Balancer pools that contained real assets, including ETH and prominent liquid staking derivatives. The yETH stableswap pool was depleted within minutes, leading to an estimated deficit of $2.8 million.
Incident Scope and Protocol Security
Yearn Finance has confirmed that the vulnerability was specific to an outdated version of its yETH logic and does not impact its V2 or V3 vaults. Protocols built on Yearn V3, such as Katana, have also reported no exposure to the exploit.
Security analysts observed that a set of helper contracts appeared briefly before the attack and were subsequently self-destructed after the pools were drained, a tactic often employed to obscure on-chain activity. Initial analyses suggest the exploit exploited a known minting weakness in the legacy contract, rather than a vulnerability in Yearn's current architecture.
The protocol continues to operate an active bug bounty program, offering up to $200,000 for critical vulnerability discoveries. No recovery plan has been announced at this time.
Fund Movements and Historical Context
On-chain monitoring has indicated that the attacker routed ETH through Tornado Cash in batches of 100 shortly after the exploit. Approximately 1,000 ETH was mixed within hours, while additional assets valued at several million dollars remain in the attacker's wallets.
Before the breach, the yETH pool held approximately $11 million. Yearn has reiterated that user funds within active vaults are secure, although the final total loss figures are still being calculated.
This incident is not the first time Yearn has had to address risks associated with legacy products, following its yDAI exploit in 2021 and a treasury misconfiguration in 2023.