Yearn Finance yETH Exploited: $3 Million Vanishes in Unlimited Minting Attack

A major vulnerability in Yearn Finance's yETH vault has been exploited, resulting in a $3 million loss. The attack leveraged an unlimited minting flaw, shaking confidence in one of DeFi's cornerstone protocols.

Anatomy of a Digital Heist

The exploit didn't involve a complex social engineering scheme or a phishing campaign. Instead, it targeted the protocol's core logic. Attackers identified and manipulated a flaw in the minting mechanism, allowing them to create yETH tokens without the requisite collateral. This wasn't a slow bleed—it was a digital bank vault swinging wide open.

The $3 Million Question

While the exact on-chain mechanics are technical, the outcome is brutally simple: $3 million in value was extracted from the protocol. The attack underscores a persistent tension in decentralized finance—the race between building innovative, complex financial products and ensuring their underlying code is bulletproof. It's the kind of event that makes traditional finance guys smirk into their overpriced lattes, muttering about 'unregulated cowboy code.'

Security in the Spotlight

Incidents like this force the entire ecosystem to scrutinize its foundations. They're painful but pivotal, driving audits, bug bounties, and more robust design patterns. For Yearn and its users, the path forward involves damage assessment, patching the vulnerability, and rebuilding trust—one secure transaction at a time.

The exploit is a stark reminder: in the high-stakes world of DeFi, a single line of flawed code can have a multimillion-dollar price tag.

TLDR

• Yearn Finance’s yETH product was exploited through an unlimited minting attack that drained liquidity from Balancer pools on November 30, 2025
• The attacker created approximately 235 trillion yETH tokens in one transaction and stole around $2.8-3 million worth of ETH
• About 1,000 ETH was laundered through Tornado Cash mixer after the exploit
• Yearn confirmed V2 and V3 Vaults were not affected and remain secure, with total value locked staying above $600 million
• YFI token price spiked from $4,080 to over $4,160 after the exploit due to a short squeeze from traders misinterpreting the attack’s scope

Yearn Finance confirmed an active exploit targeting its yETH product on Sunday after an attacker executed an unlimited token minting attack. The incident occurred around 21:11 UTC on November 30, 2025.

We are investigating an incident involving the yETH LST stableswap pool.

Yearn Vaults (both V2 and V3) are not affected.

— yearn (@yearnfi) November 30, 2025

Blockchain data shows the attacker minted approximately 235 trillion yETH tokens in a single transaction. The malicious wallet then used these tokens to drain real assets from Balancer liquidity pools.

The exploit specifically targeted yETH, an index token consisting of various ethereum Liquid Staking Derivatives. The attacker removed primarily ETH and liquid staking tokens from the affected pools.

#PeckShieldAlert Yearn Finance @yearnfi suffered an attack resulting in a total loss of ~$9M.

The exploit involved minting a near-infinite number of yETH tokens, depleting the pool in a single transaction.

~1K $ETH (worth ~$3M) was sent to #TornadoCash, while the exploiter's… pic.twitter.com/IXNygpwoWa

— PeckShieldAlert (@PeckShieldAlert) December 1, 2025

Early estimates suggest the attacker profited around 1,000 ETH, worth approximately $2.8 to $3 million. The stolen funds were quickly routed through Tornado Cash, a cryptocurrency mixer used to obscure transaction trails.

Nansen’s alert system confirmed the attack as an infinite-mint vulnerability in the yETH token contract. The vulnerability did not affect Yearn’s main Vault infrastructure.

Yearn Vaults Remain Secure as Investigation Continues

Yearn Finance issued a statement confirming that its V2 and V3 Vaults remain secure and unaffected by the exploit. The vulnerability appears limited to the legacy yETH implementation.

The protocol’s Total Value Locked remains above $600 million, according to CoinGecko data. This suggests the Core systems were not compromised during the attack.

The exploit involved several newly deployed smart contracts that self-destructed after the transaction. These helper contracts were deployed minutes before the incident to obscure the attacker’s trail.

Prior to the attack, the yETH pool had a total value around $11 million, according to Dexscreener data. The total financial losses remain under investigation.

The incident marks another security breach for Yearn Finance, which suffered a hack in 2021 affecting its yDAI vault. That attack resulted in $11 million in losses, with the hacker taking $2.8 million.

YFI Token Shows Unexpected Price Spike

YFI’s price spiked sharply following the exploit, climbing from NEAR $4,080 to over $4,160 within an hour. The move came despite negative headlines surrounding the security breach.

Market analysts attribute the price spike to a short squeeze. Initial reports of a “Yearn exploit” prompted traders to open short positions on YFI.

When traders learned the attack was isolated to yETH and not Yearn’s main Vaults, short-sellers began covering positions. This triggered rapid buying pressure and volatility-driven price movement.

YFI’s circulating supply stands at only 33,984 tokens, making it one of the most illiquid major DeFi governance assets. This structure amplifies price movements during periods of uncertainty.

Derivatives data showed elevated funding volatility immediately after the exploit alert. For now, losses appear contained to the yETH and Balancer pools touched by the exploit.