Yearn Finance Hit by $9M Exploit as Hacker Mints “Infinite yETH Tokens”

Yearn Finance, one of the most well-known DeFi platforms, has suffered a major security incident that caused nearly $9 million in losses. The attack targeted a custom stable-swap pool linked to Yearn’s yETH token, allowing the hacker to mint almost unlimited tokens and drain the pool in a single strike.

Here are the key details.

How the Attack Happened

According to Yearn Finance, the issue occurred on November 30 around 21:11 UTC. The affected contract was designed differently from Yearn’s main products, but a weakness in that code allowed the attacker to mint a near-infinite number of yETH tokens, far beyond what the system was supposed to allow.

With these fake tokens, they withdrew real ETH and liquid staking assets from the pool. 

Around $8 million was drained from the main stableswap pool, and another $0.9 million was removed from the yETH-WETH pool on Curve. The damage is nearly $9 million.

$3 Million Laundered Through Tornado Cash

Blockchain security firm PeckShieldAlert confirms that the exploiter quickly moved around 1,000 ETH ($3 million) into Tornado Cash, a platform often used to hide transaction trails. The remaining stolen funds, roughly $6 million, still sit in the attacker’s wallet address (0xa80d…c822).

The wallet currently holds a mix of ETH, pxETH, frxETH, cbETH, Lido stETH, and Rocket Pool rETH. Most of this is now staked, likely an attempt to delay recovery or complicate potential legal actions.

Yearn Finance’s Response

Yearn Finance’s team quickly responded, confirming that the exploit was isolated to the legacy yETH product and assured users that active vaults and their funds remain safe. 

They have been working with security teams and auditors to investigate the incident further. Until now, no recovery plan has been announced. 

Following the attack news market reaction saw Yearn’s governance token (YFI) drop about 4.4% post-incident, trading near $3956.