Key Highlights
- A hacker exploited an “infinite mint” vulnerability in Yearn Finance’s yETH product, which allowed them to create unlimited yETH tokens and steal approximately $3 million from a liquidity pool in a single transaction
- The total stolen fund of around 1,000 ETH were laundered through the sanctioned privacy mixer Tornado Cash
- Yearn Finance clarified that its core vaults are unaffected in this cyberattack
Yearn Finance, a major decentralised protocol, has confirmed the recent security breach on its platform. On November 30, the exploit took place on the protocol, in which Yearn’s yETH was targeted.
We are investigating an incident involving the yETH LST stableswap pool.
Yearn Vaults (both V2 and V3) are not affected.
— yearn (@yearnfi) November 30, 2025
According to a report, a highly sophisticated transaction has allowed an attacker to create a nearly endless supply of yETH tokens. This fake supply was then used to drain approximately $3 million in real assets from connected liquidity pools.
Shortly after this suspicious transaction, on-chain data revealed that the stolen funds, with around 1000 ETH, were sent through Tornado Cash, which is a privacy tool that makes it extremely difficult to trace cryptocurrency transactions.
What is yETH?
yETH is a liquid staking token index. Its purpose is to make staking on the Ethereum network simpler for daily users. Instead of choosing a single staking service, yETH automatically uses a combination of many popular staking tokens, including Lido’s stETH and Rocket Pool’s rETH, into one single token.
This allows users to diversify their yield-bearing assets. The product became so popular and held over $8.82 million in total value locked on the protocol, according to DefiLIama.
What Happened on Yearn Finance ETH?
According to the expert, the attacker has taken advantage of the protocol’s infinite vulnerability within the yETH smart contract. In simple words, this flaw allowed the attacker to generate a massive, unauthorised amount of yETH tokens without providing the required collateral to generate these tokens.
(Source: Togbe on X)
On November 30, the attacker used newly created smart contracts to interact with the yETH system. These contracts have tricked the system and decisively bypassed the normal safety checks. In a single transaction, the attacker minted trillions of yETH tokens out of thin air.
This huge amount of worthless yETH was then immediately swapped for valuable assets like ETH and stETH in a Balancer liquidity pool. This allowed the attacker to drain this pool.
An on-chain sleuth was among the first to trace the suspicious activity on the network, stating that the pool had been drained for a profit of about 1,000 ETH. After the attack, the pool’s value dropped to almost zero. According to a report, the attacker has managed to walk away with approximately $3 million after accounting for transaction costs.
To camouflage these tracks, the malicious contracts in the hack were programmed to self-destruct immediately after the theft. This is the common technique used in this type of hack.
The hacker then quickly moved to launder the stolen funds. The entire sum of 1,000 ETH was broken down into smaller batches and sent through Tornado Cash. This platform is developed to erase the trail of cryptocurrency, and earlier, it was officially sanctioned by the U.S. government because it is often used by criminals to hide their funds.
Yearn Finance Investigates the Incident
After this hack, the Yearn Finance team released an official statement, confirming that they were investigating the exploit involving the specific yETH pool.
However, they ensured that their Yearn Vaults, which managed over half of billion dollars, were completely unaffected. This isolation of the problem prevented a much larger disaster. Yearn clarified that yETH is an experimental index that operates separately from its main secure vault system.
This is not the first time Yearn Finance has suffered a cyber attack. Back in April 2023, the protocol suffered a similar exploit due to an old and outdated contract, which allowed the attacker to steal $11 million.
