Yearn Finance’s yETH Hit by $3M Exploit—Attackers Already Laundering Through Tornado Cash

Another day, another DeFi protocol bleeding digital gold. Yearn Finance's yETH vault just got raided, with attackers making off with a cool $3 million in Ethereum before funneling it straight into the crypto mixer of choice: Tornado Cash.

The Mechanics of the Heist

While the exact exploit vector remains under scrutiny, early analysis points to a potential flaw in the vault's yield-generation logic. The attackers didn't just steal—they executed a precision strike, bypassing security layers to drain funds directly from the smart contract. It's a stark reminder that in DeFi, the code is the law, and sometimes the law has loopholes.

The Aftermath and the Wash

The stolen ETH didn't sit idle. On-chain sleuths tracked the funds moving at breakneck speed into Tornado Cash, the privacy protocol that's become a standard part of the post-hack laundry cycle. It's the financial equivalent of a getaway car—fast, anonymous, and frustratingly effective for obscuring trails.

This isn't Yearn's first rodeo, but each breach chips away at the "set it and forget it" yield fantasy sold to depositors. The promise of automated, risk-managed returns collides, yet again, with the reality of adversarial code. In traditional finance, you might get a bailout; in crypto, you get a blockchain explorer showing your money vanishing in real-time.

The exploit cuts to the core of DeFi's trust dilemma—you're handing over assets to immutable, often unaudited, lines of code. When it works, it's genius. When it fails, it's just another expensive lesson in the high-stakes game of yield chasing. As one cynical observer might note: the only thing generating more yield than these vaults lately is the cybersecurity consulting industry.

yETH Incident Puts DeFi Security Under Lens

The incident apparently involved several newly deployed smart contracts, which self-destructed after the transaction, per blockchain data. The total financial losses remain unclear; however, the yETH pool had a total value around $11 million prior to the attack, Dexscreener data shows.

Following the exploit, mixed reactions came from the community, with some expressing concern over the continued use of outdated contracts.

Besides, Yearn Finance suffered a hack in 2021, affecting its yDAI vault and losing $11 million in value. The hacker apparently got away with $2.8 million at that time. Later, that protocol flagged a faulty script in December 2023, wiping out 63% of a position in its treasury.

Crypto Lost $127M to Hacks, Scams in November Alone

Meanwhile, blockchain security firm CertiK confirmed on Sunday that the crypto industry suffered an estimated $127 million in losses to hacks and exploits.

The company’s monthly threat report noted that the actual affected funds were more than $172 million. However, the numbers reduced by $45 million after some of the stolen funds were recovered.

Balancer DeFi protocol attack tops the list of major exploits in November, marking one of 2025’s largest DeFi security breaches. The platform lost over $116 million in a sophisticated cross-chain exploit that affected multiple blockchains.

About $135 million was lost in DeFi incidents, followed by $29.8 million drained in exchange hacks, CertiK data noted.