Yearn Finance’s yETH pool has suffered a complex exploit that drained roughly $9 million in assets.
The incident, centred on an older yETH contract and associated liquidity pools. It unfolded on November 30 and quickly spilled over into broader market sentiment for major tokens including Bitcoin and Ethereum.
Infinite Mint Vulnerability Drains yETH Liquidity
Blockchain security alerts and Yearn’s own incident statements indicate that the attacker exploited a vulnerability. This allowed the creation of an effectively unlimited amount of yETH, the protocol’s index token representing a basket of liquid‑staking derivatives on Ethereum. In a single transaction, the exploiter minted on the order of 235 trillion yETH.
The attacker then used those tokens to remove real assets, primarily ETH and liquid‑staking tokens, from Balancer and Curve liquidity pools tied to the product.
Yearn has said the flaw lay in the yETH token and pool logic, not in its newer V2 and V3 vault infrastructure. Additionally, the compromised contracts were part of legacy or isolated components rather than current core strategies.
On‑chain data and subsequent forensic summaries put the total economic impact near $9 million, including about $8 million drained from the main stableswap pool and roughly $900,000 from a related yETH‑WETH pool. Approximately 1,000 ETH, around $3 million at recent prices was quickly routed through Tornado Cash, with additional funds still sitting in attacker‑controlled wallets.
DeFi Security Concerns
Developers and independent researchers have described the exploit as an “infinite‑mint” or pricing‑manipulation attack enabled by a combination of faulty invariants, rate‑update logic and reliance on contracts that had not been fully upgraded or decommissioned. Analysts noted that the attacker deployed several helper contracts shortly before the transaction and then self‑destructed them afterward, a pattern seen in other advanced DeFi exploits aimed at obscuring the on‑chain trail.
The incident follows earlier security events in the DeFi sector and adds to November’s running tally of more than $100 million in crypto lost to hacks and scams across multiple protocols. In response, Yearn has been working with external audit and incident‑response groups, including on‑chain security collectives, to dissect the root cause and propose remediation steps for users and liquidity providers, while reiterating that active vaults remain operational and segregated from the affected yETH contracts. The attack has in turn intensified debate over how protocols manage legacy contracts and the trade‑off between composability and the long‑term complexity of DeFi codebases.
READ MORE: SEI Price Prediction as Buyers Defend a Key Level
