Legacy Agreements Scrutinized: Yearn Faces $9M Loss, Highlighting DeFi Vulnerabilities
Major Security Breach Hits Yearn Finance
Yearn Finance recently experienced a severe security incident, where hackers exploited a critical flaw in the yETH token contract, resulting in the theft of approximately $9 million worth of assets. The breach, which occurred on November 30, 2025, involved the creation of an unlimited number of synthetic yETH tokens. These tokens were then exchanged for genuine assets from various liquidity pools. The vulnerability was found in an older version of the yETH product, a liquid staking index that aggregates Ethereum-based derivatives.
Details of the Exploit
The attackers took advantage of an infinite-mint bug in the yETH contract, enabling them to mint 235 trillion tokens in a single transaction. Using these artificially created tokens, they drained funds from several pools, including:
- Balancer pools, with about $8 million withdrawn from the main yETH stableswap pool
- An additional $1 million taken from a yETH–WETH pool
To conceal their tracks, the perpetrators laundered roughly 1,000 ETH (valued at $3 million at the time) through Tornado Cash, a service that obscures blockchain transactions. They also deployed and later destroyed helper contracts to further hide their activities.
Response and Impact
Yearn Finance has assured users that its main V2 and V3 Vaults were not impacted by the attack, stressing that the vulnerability was limited to the outdated yETH contract. Reports indicate that the protocol’s Total Value Locked (TVL) stayed above $600 million, suggesting the core infrastructure remained secure. To address the breach, Yearn Finance has enlisted the help of external security experts, including Chain Security and SEAL911, to investigate and apply necessary fixes.
Market Reaction
The market’s response to the hack was mixed. Surprisingly, Yearn’s governance token, YFI, saw a rapid price increase from $4,080 to over $4,160 within an hour of the news. Analysts believe this was due to a short squeeze, as some traders misunderstood the extent of the breach. Once it became clear that the main vaults were unaffected, short-sellers rushed to cover their positions, pushing the price higher.
Broader DeFi Security Concerns
This event highlights persistent security risks in decentralized finance, especially those linked to outdated smart contracts and liquid staking products. Yearn Finance has faced similar attacks in the past, including a 2021 exploit that cost its yDAI vault $11 million and a 2023 incident that wiped out 63% of a treasury holding. The DeFi sector as a whole has struggled with security in 2025, with CertiK reporting $127 million in losses from hacks and exploits in November alone.
Ongoing Investigation and User Guidance
Yearn Finance is urging users to keep a close eye on their holdings and to contact support through its Discord channel if needed. The investigation is ongoing, with teams working to determine the full impact and strengthen security measures. As DeFi continues to evolve, this breach serves as a stark reminder of the importance of thorough audits and proactive risk management in complex financial protocols.
