Yearn Finance Bleeds $9M in Critical yETH Contract Exploit - Here’s What Went Wrong

A smart contract flaw just turned into a $9 million payday for an attacker—and a brutal lesson in DeFi security.

Yearn Finance's yETH vault, designed to optimize Ethereum staking yields, got drained overnight. The exploit didn't require some quantum-computing-level hack. It leveraged a known vulnerability in how the contract handled price calculations during deposits and withdrawals.

The Mechanics of the Drain

The attacker manipulated the vault's internal accounting. By depositing and withdrawing in a specific sequence, they tricked the system into overvaluing their share. The contract then paid out far more assets than the attacker actually put in. Simple math, executed with precision.

Security vs. Speed: The Eternal Tug-of-War

This wasn't a zero-day mystery. The vulnerability pattern—a price oracle manipulation—is a classic in DeFi post-mortems. It highlights the relentless pressure to ship new products in a competitive yield market, where a week's delay can mean millions in missed TVL. Sometimes, moving fast really does break things. Expensively.

The Aftermath and the Road Ahead

Yearn's team disabled the vulnerable vault. Investigations are ongoing, and the usual chorus of blockchain forensic firms is on the case. The protocol's treasury will likely cover the loss, a costly but necessary move to maintain user trust. It's a stark reminder: in the race for yield, the smartest contract is the one that hasn't been exploited yet. And in crypto finance, a 'stress test' often means watching real money vanish into a stranger's wallet.

Attacker minted infinite yETH tokens draining liquid staking pool in single transaction. About $3M worth of $ETH sent through Tornado Cash mixing service. Exploit involved freshly-deployed smart contracts that… pic.twitter.com/AYy8K1tsl7

— Unchained (@Unchained_pod) December 1, 2025

According to on-chain analysis, the attacker exploited a critical vulnerability in a, enabling them to mint an unlimited amount of yETH without posting any collateral. The attacker then drained liquidity from Balancer pools and later routed part of the stolen funds through the privacy mixer, making recovery increasingly difficult.

How the Attack Happened

Blockchain security researchers identified that the exploit stemmed from a severe flaw in an old yETH contract still accessible within the protocol. The vulnerability allowed the attacker to mint, bypassing supply restrictions entirely.

Key findings include:

• The attacker minted about 235 trillion yETH in a single transaction.
• They used these tokens to drain liquidity from Balancer pools linked to Yearn.
• Yearn Finance reported the total loss at around USD 9 million.
• Before the attack, yETH pools held approximately USD 11 million, meaning the majority of assets were wiped out.

This exploit occurred on, where Yearn’s smart contracts and vaults operate.

Stolen Funds Routed Through Tornado Cash

Of the funds extracted,—worth roughly—was sent to, a privacy protocol often used to obscure transaction trails. The MOVE significantly complicates efforts to trace or recover the stolen assets.

Security firm PeckShield estimates that the attacker’s wallet still holds around, suggesting additional movements may follow.

The incident highlights an ongoing concern in DeFi: legacy contracts and permissionless mixer tools remain prime vectors for large-scale hacks.

Yearn’s Response and User Guidance

Yearn Finance has urged users tountil further notice. The project emphasized that the exploit didaffect Yearn’s Core products, including:

• V2 Vaults
• V3 Vaults

Yearn is now working with leading cybersecurity teams, includingand, to investigate the exploit, patch vulnerabilities, and evaluate further protective measures.

Meanwhile, users are being reminded of the importance of rigorous wallet security:

The post Yearn Finance Suffers USD 9M Hack After Critical yETH Contract Exploit appeared first on icobench.com.