Yearn Finance Recovers $2.4M After Complex $9M yETH Pool Exploit

Details of the Yearn Finance Exploit

Yearn Finance is actively working to recover assets that were stolen in a significant exploit. The incident, which occurred on Sunday, drained approximately $9 million from the protocol's legacy yETH pools. The attacker exploited a vulnerability in an older contract, enabling them to mint an almost unlimited supply of yETH tokens. These tokens were then used to withdraw real liquidity from both a stableswap pool and a smaller yETH-WETH pool on Curve. Yearn has confirmed that a portion of the stolen assets, estimated at around $2.4 million, has been successfully recovered so far. A collaborative effort involving Yearn's security teams and external security experts is ongoing. The protocol has reiterated that its V2 and V3 products remain unaffected by this attack. This incident marks the third attack on Yearn since 2021 and, according to the team, exhibited a complexity level comparable to the recent Balancer exploit. The attacker's ability to mint an effectively limitless quantity of yETH tokens—specifically 2.3544×10⁵⁶ yETH—concentrated the damage within the older yETH pool.

Investor Takeaway

Legacy DeFi contracts continue to represent a significant vulnerability within on-chain finance. Although Yearn's more recent products were not impacted, older pools can still be susceptible to highly precise exploits.

Mechanism of the Exploit

A post-mortem analysis released on Monday detailed the underlying flaw that facilitated the attack. The exploit stemmed from an "unchecked arithmetic" bug present in the yETH pool's minting logic, compounded by other design deficiencies. By exploiting this vulnerable function, the attacker managed to generate an immense quantity of yETH tokens. The post-mortem report clearly outlines the sequence of events: "The actual exploit transactions follow this pattern: the huge mint is followed by a sequence of withdrawals that move real assets to the attacker, while the yETH token supply is effectively meaningless." The attack involved a series of batched transactions and the use of helper contracts—temporary, specialized smart contracts frequently employed in sophisticated, multi-step exploits. According to Blockscout, the attacker deployed helper contracts that self-destructed after completing their execution, rendering them unreadable while still leaving evidence in the creation logs. These contracts were instrumental in manipulating the minting process before their subsequent destruction. Further reporting indicates that the attacker transferred at least 1,000 ETH and several liquid-staking tokens through Tornado Cash shortly after the exploit.

Asset Recovery Status

Yearn announced on Sunday that a recovery mission was "active and ongoing." Through collaboration with security firms SEAL 911, ChainSecurity, and Plume Network, the team has successfully recovered 857.49 pxETH. Additional assets are reportedly in transit across multiple blockchain networks and through various anonymization channels. The Yearn team reiterated that the attack specifically targeted a legacy contract and emphasized that "there is no other Yearn product using similar code to what was impacted." They also confirmed that any assets successfully reclaimed will be returned to the depositors who were affected by the exploit.

Investor Takeaway

The ongoing recovery efforts underscore the critical importance of cross-team incident response within the DeFi space. White-hat networks and advanced chain-level monitoring are increasingly vital in determining the extent of value that can be retrieved following security incidents.

Security of Yearn's V2 and V3 Products

Yearn has explicitly stated that the exploit was confined to its older yETH pool and did not affect its V2 and V3 vaults, which constitute the primary components of the current Yearn ecosystem. These newer vaults utilize distinct codebases and were therefore unaffected by the attack. Nevertheless, the incident highlights the persistent risk posed by inactive or under-maintained DeFi contracts that still hold user funds across the broader ecosystem. In its formative years, Yearn established itself as a leading yield aggregator. However, several older strategies remain deployed even as liquidity has migrated to newer vault structures. The yETH pool that was compromised on Sunday falls into this category—a legacy component from an earlier phase of DeFi that still retained significant value. On Sunday, Yearn advised users that its investigation would require time and patience, noting: "Initial analysis indicated this hack has a similar high complexity level to the recent Balancer hack, so please bear with us as we perform the post-mortem analysis." The key questions now revolve around the total amount of stolen funds that can be recovered and the speed at which the protocol can compensate affected depositors. This incident also raises broader concerns within DeFi regarding the number of older contracts that may still be exposed to similar arithmetic or rounding-based vulnerabilities. For Yearn, the immediate focus is on concluding recovery operations and closing this chapter related to a pool that dates back to an earlier era of yield farming—an era that attackers continue to scrutinize for overlooked security weaknesses.