Crypto Theft: Yearn Finance Loses $9M, Attacker Keeps $6M in Assets

A latest attack on Yearn Finance, one of the most established yield-optimizing protocols on decentralized finance(DeFi), has shocked the market. The attack happened after an exploit of the legacy yETH product. The incident has resulted in a loss of $9 million. This latest exploit and the consequent attack raise questions about the protocol security, legacy code maintenance, and the growing sophistication of modern DeFi attacks.

Investigations are underway as the attacker is reportedly still holding $6 million worth of assets in their custody. Even though a portion of the assets has been funneled through privacy mixing services, authorities hope that they can retrieve the remaining lost assets to reduce the impact of the attack.

In this article, we will break down the events of the attack, the mechanism behind the exploit, the immediate fallout, and the broader implications for DeFi users.

How the yETH Pool Was Drained?

On 30th November, 2025, at around 21:11 UTC, Yearn Finance’s yETH became a target of a precision DeFi attack. The yETH is a basket-like index that holds various ETH staking derivatives. The attack commenced as the attacker deployed a set of custom contracts. These contracts had the ability to take advantage of a flaw within the yETH minting mechanism.

At the core of the exploit was an “infinite-mint vulnerability”. The attacker minted a staggering amount of yETH, amounting to trillions, by exploiting a misconfigured or insufficiently restricted contract logic. Even though the minted tokens had no backing, the protocol’s liquidity pools identified them as valid assets.

The attacker then quickly swapped the fraudulent synthetic yETH for legitimate ETH and other LST assets, which were held in Yearn’s liquidity reserves. It was this swap that led to the real-world fund loss. Approximately 8 million US dollars were siphoned from Yearn itself, while 0.9 million US dollars were stolen in the form of a swap from the yETH-WETH pool from Curve. This brought the total losses to around 9 million US dollars.

Aftermath of the Attack: Fund Movement

Following the attack and the subsequent drain, the attacker began laundering the stolen assets. The first major movement involved 1000 ETH worth approximately 3 million US dollars, transacted through the Tornado Cash privacy mixer.

Despite successfully laundering about 3 million US dollars, the wallet of attacker retains nearly 6 million US dollars, according to the analysts who are tracking the attacker. This includes various assets, including ETH staking derivatives and liquidity pool tokens. From what the analysts are saying, the remaining assets could be potentially frozen or monitored depending on the attacker’s next cash-out attempt. However, no recoveries have been reported so far.

The attacker has used a series of self-destructive smart contracts, which makes forensic analysis of the attack much difficult. After the attack, these helper contracts removed any trace of the attacker’s strategy from the mainnet.

Why The Exploit Worked?

The success of this attack can be attributed to several key weak points within the DeFi ecosystem. We will now take a short but informative look at them.

The major ability of the attacker to perform the breach came from vulnerabilities in the legacy contract. The exploited code was tied to older Yearn infrastructure. This means that these were not the newer vaults that users interact with today. Since the lack of usage renders these legacy systems unmonitored and depreciated, these can often become weak points in the system that exploiters can target.

The token’s complexity was yet another breach point. yETH is a complex token that comprises several LSTs. Its design involves deposit logic, mint calculations, and conversion formulas. This complexity inherently broadened the attack surface. In this specific case, a flawed minting path was what helped the attacker attain the breach.

Even though the minted yETH was counterfeit, the token pools accepted them without verification. This is a problem associated with AMMs(Automated Market Makers). AMMs are known for their deficiency in detecting fraud, and will trade anything that adheres to the token infrastructure.

Also Read: Upbit $30 Million Hack Update: Investigators Point to North Korean Hacking Group “Lazarus.”

Yearn’s Response and Community Feedback

In the statement that followed the attack, Yearn confirmed the incident and assured users that the widely used V2 and V3 platforms were unharmed. Following this, Yearn has started countermeasures by teaming up with auditing firms and on-chain security teams.

Despite this attack, the broader ecosystem of Yearn remained unaffected. The TVL, or Total Value Locked, also did not have any catastrophic effects from the attack. Following the attack, the DeFi community is actively discussing countermeasures and future foolproof systems to be put in place.

According to the community, the legacy contracts are to be audited on a regular basis. Another opinion that came in close relation with this specific attack was to put in place automatic circuit breaker mechanisms in the minting logic. The users also raised questions as to how well the depreciated pools are monitored and required to make them more transparent.

Conclusion

This latest 9 million US dollar heist reveals one thing in DeFi, its greatest strength is determined by the weakest contract. While Yearn’s flagship vaults were untouched, the incident highlights the need for an aggressive depreciation of legacy code and improved safeguards for minting functions.

Full recovery of the remaining $6 million is far from certain as a significant portion of the stolen assets has already been gone. The only thing that remains certain is that Yearn, alongside the entire DeFi community, must continue evolving its security posture to match the increasing sophistication of modern exploiters.

Also Read: Why Did Crypto Crash Today: Bitcoin Drops Below 90K,  Can BTC Rebound Soon?