Yearn Finance has suffered a major security breach, resulting in the loss of approximately $9 million. The exploit targeted a legacy stable swap pool associated with the protocol’s yETH token, which allowed hackers to mint an infinite number of coins.
Flaw in the yETH Contract
Blockchain security firm Peckshield was the first to flag the incident, stating, "Yearn Finance suffered an attack resulting in a total loss of ~$9M."
According to analysts, the attacker abused a critical vulnerability in the yETH token contract. This vulnerability allowed them to mint fresh yETH without posting adequate collateral, effectively inflating the token supply at will. This loophole was then used to drain liquidity from a pool outside of Yearn’s core vault products.
The exploit targeted a custom-built contract designed to aggregate staked Ethereum derivatives such as stETH and rETH. The protocol later shared that the yUSND pool and Nerite’s vaults remained secure and were not impacted by the protocol failure. Following the attack, those responsible laundered over $3 million in stolen ETH through Tornado Cash. Meanwhile, the remaining $6 million in various staked Ethereum assets remained in their wallet address (0xa80d…c822) as of the latest blockchain scans.
Yearn also confirmed the compromise, reporting that $0.9 million was lost from the yETH-WETH stableswap pool on Curve, while an additional $8 million was drained from the affected pool. Impacted users were advised to open a support ticket on the project’s Discord.
Early Investigation Findings
The platform announced that it has assembled a war room, comprising SEAL911 and its audit partner, Chain Security, with a full postmortem investigation underway.
Early findings suggest that the incident shares a similar level of technical complexity with the recent Balancer hack. That unauthorized access resulted in more than $120 million being stolen across the platform’s main protocol and several forks.
On-chain analysts traced the Balancer event to a precision-loss bug in the integer fixed-point arithmetic used to calculate scaling factors within Composable Stable Pools. These pools are optimized for near-parity asset pairs like USDC/USDT or WETH/stETH.
SlowMist later shared that the flaw led to subtle but repeated price discrepancies during swaps, particularly when attackers executed multiple operations within a single transaction using the batch swap function.
Meanwhile, Yearn’s incident follows shortly after Korean exchange Upbit suffered its own security lapse, which resulted in the loss of $50 million in Ethereum.