Yearn Finance Exploited: Hacker Mints "Infinite yETH Tokens" in $9M DeFi Breach
Another day, another nine-figure reminder that code is law—until someone finds a loophole.
The Infinite Mint Glitch
A smart contract vulnerability let an attacker create yETH tokens out of thin air. No deposit, no collateral—just digital alchemy that drained liquidity pools dry. The exploit bypassed core validation checks, turning a yield-bearing vault into a personal printing press.
The $9 Million Withdrawal
The hacker swapped those fabricated tokens for real assets, siphoning off millions before the protocol could react. It wasn't a sophisticated attack—just a brutal exploitation of a single flawed function. The entire heist executed in blocks, leaving arbitrage bots to clean up the mess.
DeFi's Recurring Nightmare
Yearn joins the hall of fame for protocols that learned the hard way: complex financial engineering often outpaces security audits. The incident exposes the fragile trust holding together billions in automated liquidity—where a few lines of buggy code can vaporize fortunes faster than a regulator can draft a memo.
Another 'unprecedented' event in a sector that really should have precedents by now. Maybe next time they'll audit the money printer before plugging it in.
Yearn Finance, one of the most well-known DeFi platforms, has suffered a major security incident that caused nearly $9 million in losses. The attack targeted a custom stable-swap pool linked to Yearn’s yETH token, allowing the hacker to mint almost unlimited tokens and drain the pool in a single strike.
Here are the key details.
How the Attack Happened
According to Yearn Finance, the issue occurred on November 30 around 21:11 UTC. The affected contract was designed differently from Yearn’s main products, but a weakness in that code allowed the attacker to mint a near-infinite number of yETH tokens, far beyond what the system was supposed to allow.
With these fake tokens, they withdrew real ETH and liquid staking assets from the pool.
Around $8 million was drained from the main stableswap pool, and another $0.9 million was removed from the yETH-WETH pool on Curve. The damage is nearly $9 million.
$3 Million Laundered Through Tornado Cash
Blockchain security firm PeckShieldAlert confirms that the exploiter quickly moved around 1,000 ETH ($3 million) into Tornado Cash, a platform often used to hide transaction trails. The remaining stolen funds, roughly $6 million, still sit in the attacker’s wallet address (0xa80d…c822).
#PeckShieldAlert Yearn Finance @yearnfi suffered an attack resulting in a total loss of ~$9M.
The exploit involved minting a near-infinite number of yETH tokens, depleting the pool in a single transaction.
~1K $ETH (worth ~$3M) was sent to #TornadoCash, while the exploiter's… pic.twitter.com/IXNygpwoWa
The wallet currently holds a mix of ETH, pxETH, frxETH, cbETH, Lido stETH, and Rocket Pool rETH. Most of this is now staked, likely an attempt to delay recovery or complicate potential legal actions.
Yearn Finance’s Response
Yearn Finance’s team quickly responded, confirming that the exploit was isolated to the legacy yETH product and assured users that active vaults and their funds remain safe.
They have been working with security teams and auditors to investigate the incident further. Until now, no recovery plan has been announced.
Following the attack news market reaction saw Yearn’s governance token (YFI) drop about 4.4% post-incident, trading NEAR $3956.
