On Sunday, the Yearn Finance protocol’s legacy yETH product was exploited, allowing an attacker to mint effectively unlimited yETH and drain almost 9 million dollars’ worth of ETH and liquid staking tokens from Balancer and Curve pools in a single sequence of transactions. Yearn says the incident is confined to this older contract; its V2 and V3 vaults remain untouched.
Yearn Finance Exploit hits legacy yETH pool
The target was a custom stableswap-style pool backing yETH, a basket of staked ETH derivatives. A flaw in the legacy yETH minting logic let the attacker create an absurd volume of tokens (on the order of hundreds of trillions) without supplying collateral, then immediately swap those fake claims for real assets in Balancer liquidity.
Roughly 8 million dollars were lifted from the main yETH stableswap pool and just under 1 million from a yETH–WETH pool on Curve, bringing confirmed losses to around 9 million dollars. Yearn has stressed that no equivalent code is used elsewhere in the protocol.
Flows through Tornado Cash and early recovery
Soon after the Yearn Finance exploit, about 1,000 ETH (roughly 3 million dollars at prevailing prices) was pushed through Tornado Cash in a series of 100-ETH deposits, while the exploiter wallet retained around 6 million dollars in ETH and liquid staking tokens.
Not all of the stolen value has vanished into mixers. With help from the Plume and Dinero teams, Yearn coordinated the recovery of 857.49 pxETH, worth roughly 2.4 million dollars at the time of the transaction, which is now earmarked for affected users.
Governance response and user impact
This Yearn Finance exploit is the third successful attack on a Yearn product since 2021, and governance moved quickly to contain the political damage. A proposal passed on 1 December with overwhelming support to reimburse roughly 3.2 million dollars of user losses via a USDC Merkle drop funded from the treasury, alongside a patched contract, a paused router and an enlarged bug bounty.
In practice, the direct blast radius is contained: mainly yETH depositors and LPs in the affected pools. For everyone else, the incident serves as a reminder that “legacy” code paths and bespoke pool logic can remain live long after attention has shifted to newer vaults.
DeFi risk
The Yearn Finance exploit shows how DeFi risk often sits in older, math-heavy contracts that nobody quite wants to retire while they are still generating yield. A recognisable blue-chip label does not turn those strategies into cash accounts; they are structured products built on smart contracts, with all the associated failure modes.
Exploit TrackerDisclaimer: This article is for information purposes only and does not constitute investment, legal or tax advice. Always do your own research before committing capital.
