Yearn’s yETH Pool Drained: $3 Million in ETH Vanishes into Tornado Cash

A major DeFi vault just got raided. The exploit highlights the persistent vulnerabilities lurking beneath the surface of automated yield strategies.

The Mechanics of a Flash Heist

The attack didn't rely on a novel smart contract bug. Instead, it manipulated the pool's internal pricing mechanism during a single, complex transaction. By artificially skewing the value of deposited assets, the attacker minted an inflated amount of yETH tokens and immediately redeemed them for a disproportionate share of the pool's underlying Ethereum. The entire digital heist executed in one block—funds were in and out before anyone could react.

The Tornado Cash Wash Cycle

Following the siphon, the stolen ETH didn't sit in a wallet. It went straight into the crypto blender. Tornado Cash, the sanctioned privacy mixer, received the full $3 million haul, effectively scrambling the transaction trail. This move signals a sophisticated operator who understands that stealing the funds is only half the battle—cashing them out is the other. It's the blockchain equivalent of a getaway car switching license plates mid-chase.

DeFi's Persistent Insurance Gap

Incidents like this underscore a brutal truth for yield farmers: high APY often comes with uninsured risk. While traditional finance has its FDIC moments, DeFi's 'code is law' ethos means losses are frequently total. The community is left scrutinizing audit reports that, in this case, clearly missed a critical flaw. It's a stark reminder that in the race for returns, security can sometimes be an afterthought—until it's not.

The fallout is another stress test for DeFi's resilience. The ecosystem absorbs the blow, pats itself on the back for being 'decentralized and permissionless,' and moves on. The price of ETH barely flinched—proving once again that for every cautious investor scared away by a hack, two more are waiting to ape into the next high-yield pool. The market's memory is notoriously short, especially when there's money to be made.

TLDR

• Yearn Finance’s yETH product was hit by an exploit that drained its entire pool of funds.
• Attackers minted unlimited tokens and withdrew millions from Balancer pools.
• The stolen 1,000 ETH, worth $3 million, was routed through Tornado Cash to obscure its origin.
• The exploit targeted newly deployed smart contracts that self-destructed after the transaction.
• Yearn confirmed the breach but assured that its V2 and V3 Vaults were unaffected.

Yearn Finance’s yETH product was hit by a serious exploit on Monday, draining its entire pool. Attackers minted an unlimited number of tokens, withdrawing millions from Balancer pools. Blockchain data indicates that the attackers pocketed roughly 1,000 ETH, which is worth around $3 million. This sum was then funneled through Tornado Cash.

Exploit Drains yETH Pool

The exploit affected Yearn Finance’s yETH, a token that combines multiple liquid-staked ethereum derivatives (LSTs). The attackers exploited newly deployed smart contracts, which self-destructed after the transaction. According to blockchain data, the total value of the yETH pool was around $11 million before the exploit.

We are investigating an incident involving the yETH LST stableswap pool.

Yearn Vaults (both V2 and V3) are not affected.

— yearn (@yearnfi) November 30, 2025

“Heavy transactions on LSTs” were initially flagged by an X user known as Togbe, who raised alarms about the suspicious activity. Yearn later confirmed the breach, assuring users that the V2 and V3 Vaults remained secure and unaffected. Despite this, the attack drained significant funds from the pool.

Tornado Cash Involved in the Exploit

Following the exploit, the stolen 1,000 ETH was sent through Tornado Cash, a well-known cryptocurrency mixer. This allowed the attackers to obfuscate the origin of the funds, making it harder to trace. The mixer has long been associated with laundering stolen funds, and its involvement in this attack is consistent with past exploits.

The use of Tornado Cash in this exploit highlights an ongoing concern in the crypto space. It serves as a reminder of the challenges related to tracking illicit transactions. Blockchain security firm CertiK confirmed the stolen funds were routed through Tornado Cash, adding to the growing list of exploits involving the service.

Previous Yearn Finance Security Incidents

This isn’t the first time Yearn Finance has suffered a security breach. In 2021, the platform lost $11 million when its yDAI vault was hacked. At the time, the attacker took off with $2.8 million in stolen funds. Yearn’s recent history with hacks has raised concerns about the continued security of its platform.

A faulty script in December 2023 wiped out 63% of a position in Yearn’s treasury. Despite these setbacks, the platform has maintained its reputation in the DeFi space. The recent attack has intensified scrutiny over the use of outdated contracts and the need for enhanced security measures.

DeFi Ecosystem Suffers Major Losses

The exploit on Yearn Finance is part of a broader trend of DeFi attacks. CertiK reported that the crypto industry lost an estimated $127 million due to hacks and exploits. The year’s largest DeFi exploit occurred on the Balancer platform, where a cross-chain attack resulted in a loss of $116 million.

#CertiKStatsAlert

Combining all the incidents in November we’ve confirmed ~$127M lost to exploits, hacks and scams after ~$45M was frozen or returned.

More details belowpic.twitter.com/sOunnk1pEK

— CertiK Alert (@CertiKAlert) November 30, 2025

With these incidents, the security of decentralized finance platforms remains a critical issue. Hackers are increasingly targeting DeFi platforms, draining millions and sending funds through services like Tornado Cash. The ongoing issues with DeFi security have left many in the community questioning how to protect against such attacks.