Yearn Finance reported that a legacy yETH product was hit by an exploit that allowed an attacker to mint a massive amount of fake tokens and swap them for real assets.
According to on-chain alerts and protocol statements, the attacker created a near-infinite supply of yETH in a single transaction, then used those tokens to pull ETH and liquid-staking derivatives from liquidity pools.
The incident was first flagged on November 30, 2025, and the total impact has been reported at roughly $9 million.
#PeckShieldAlert Yearn Finance @yearnfi suffered an attack resulting in a total loss of ~$9M.
The exploit involved minting a near-infinite number of yETH tokens, depleting the pool in a single transaction.
~1K $ETH (worth ~$3M) was sent to #TornadoCash, while the exploiterβsβ¦ pic.twitter.com/IXNygpwoWa
β PeckShieldAlert (@PeckShieldAlert) December 1, 2025
Based on reports, the attacker took advantage of a flaw in the yETH minting logic and produced tokens on the order of 235 trillion in one go.
Those worthless tokens were then swapped for real assets from Balancer and Curve pools tied to the product, emptying liquidity in minutes. Chain monitors and security researchers showed the mint and subsequent swaps unfolding very quickly on the blockchain.
At 21:11 UTC on Nov 30, an incident occurred involving the yETH stableswap pool that resulted in the minting of a large amount of yETH. The contract impacted is a custom version of popular stableswap code, unrelated to other Yearn products. Yearn V2/V3 vaults are not at risk.
β yearn (@yearnfi) December 1, 2025
Reports have disclosed that roughly $8 million was pulled from the main yETH stable-swap pool, while about $0.9 million was taken from a yETHβWETH pool.
In addition, roughly 1,000 ETHβvalued at about $3 million at the time of movementβwas sent to Tornado Cash in attempts to obscure the trail. The attacker converted fake yETH into a mix of ETH and liquid staking tokens before attempting to launder funds.
According to Yearn officials and follow-up coverage, the breach was limited to an older, legacy implementation of the yETH product and did not affect Yearnβs main V2 and V3 vaults.
Deposits into the affected pool were isolated while the team and outside experts began an investigation. This isolation is said to have kept the bulk of user funds in active vaults from being touched.
Market Reaction And Wider ConcernsCrypto markets saw selling pressure as the news spread, with traders weighing the risk that comes from combining liquid staking tokens with custom swap code.
Yearn Finance said it is working with outside security teams to run a post-mortem and to patch the vulnerability. Based on reports, teams named in coverage include external auditors and blockchain investigators who are tracking the stolen funds and advising on recovery options.
The protocolβs notice warned users about the affected legacy product and urged caution while the review continues.
Featured image from Unsplash, chart from TradingView
DeFi platform Yearn Financeβs yETH product was hit by an unlimited minting of tokens on Monday, draining the entire yETH pool in a single transaction.
Yearn later confirmed the βincidentβ, assuring that its V2 and V3 Vaults remain secure and unaffected.
We are investigating an incident involving the yETH LST stableswap pool.
β yearn (@yearnfi) November 30, 2025
Yearn Vaults (both V2 and V3) are not affected.
According to blockchain data, the exploit generated a near-infinite number of yETH, draining millions from Balancer pools. Attackers roughly profited 1,000 ETH, worth $3 million, which was routed through the Tornado Cash mixer, Chinese journalist Colin Wu noted.
yETH is an index token consisting of several different liquid staked versions of ETH, in other terms, Ethereum Liquid Staking Derivatives (LSTs). The attack was first flagged by an X user Togbe, who highlighted βheavy transactionsβ on LSTs, including yearn, rocket pool, origin and dinero.
The incident apparently involved several newly deployed smart contracts, which self-destructed after the transaction, per blockchain data. The total financial losses remain unclear; however, the yETH pool had a total value around $11 million prior to the attack, Dexscreener data shows.
Following the exploit, mixed reactions came from the community, with some expressing concern over the continued use of outdated contracts.
Besides, Yearn Finance suffered a hack in 2021, affecting its yDAI vault and losing $11 million in value. The hacker apparently got away with $2.8 million at that time. Later, that protocol flagged a faulty script in December 2023, wiping out 63% of a position in its treasury.
Meanwhile, blockchain security firm CertiK confirmed on Sunday that the crypto industry suffered an estimated $127 million in losses to hacks and exploits.
The companyβs monthly threat report noted that the actual affected funds were more than $172 million. However, the numbers reduced by $45 million after some of the stolen funds were recovered.
Balancer DeFi protocol attack tops the list of major exploits in November, marking one of 2025βs largest DeFi security breaches. The platform lost over $116 million in a sophisticated cross-chain exploit that affected multiple blockchains.
About $135 million was lost in DeFi incidents, followed by $29.8 million drained in exchange hacks, CertiK data noted.
The post Yearn Financeβs yETH Suffers Major Hack, Attackers Send $3M ETH to Tornado Cash appeared first on Cryptonews.
Login