Ethereum News Today: DeFi's Ghost Contracts Drain $9M from Yearn's Legacy System

Yearn Finance, a leading decentralized finance (DeFi) platform, suffered a $9 million exploit on November 30, 2025, after a hacker exploited a vulnerability in its legacy yETH token contract. The attack involved minting an unlimited number of yETH tokens, draining liquidity pools, and funneling $3 million in stolen Ethereum (ETH) through the Tornado Cash mixer, a privacy tool designed to obscure transaction trails. The incident highlights ongoing security challenges in the DeFi sector, where complex smart contract ecosystems remain vulnerable to sophisticated exploits.

The exploit targeted a stableswap pool linked to yETH, a liquid staking derivative index token. Attackers deployed helper contracts that self-destructed post-transaction, a common tactic to evade attribution. By minting 235 trillion yETH tokens in a single call—far exceeding the protocol's intended limits—the hacker drained BalancerBAL-- and Curve pools, converting the tokens into real ETHETH-- and staked derivatives. Over 1,000 ETH ($3 million) was subsequently sent to Tornado CashTORN--, with the remaining $6 million in mixed assets still held in the attacker's wallet according to reports.

Yearn Finance's response emphasized that its active V2 and V3 Vaults remained unaffected, a critical distinction for users. The platform confirmed the breach was isolated to a deprecated yETH contract, a product it had moved away from in favor of newer liquid staking models. This "legacy contract" issue is not unique to Yearn; numerous DeFi protocols retain outdated smart contracts with residual liquidity, creating exploitable blind spots. The company has since paused the router, deployed a patched v1.1 contract, and launched a $500,000 bug bounty to incentivize further security audits according to security reports.

The attack underscores a broader pattern in DeFi security. CertiK's November 2025 threat report revealed $127 million in losses from hacks and scams, with Balancer's $116 million exploit being the most significant. These incidents reflect the sector's struggle to balance innovation with robust safeguards. While Yearn's governance token (YFI) dipped 4.4% post-attack, the firm's track record of recovering from prior breaches—such as the 2021 yDAI exploit and 2023 treasury drain—suggests resilience. A proposed $3.2 million reimbursement via a USDCUSDC-- Merkle drop is under consideration, though no formal plan has been announced according to Yearn's official statement.

Industry experts stress the need for proactive measures. The yETH exploit exemplifies how deprecated contracts, if not properly decommissioned, can become "ghost contracts" with real financial consequences. Enhanced audit protocols, real-time monitoring, and improved token security APIs are increasingly critical. Platforms like GoPlus, which reported $4.7 million in 2025 revenue from security tools, are gaining traction as DeFi actors prioritize risk mitigation.

As the sector matures, the challenge lies in addressing both technical vulnerabilities and systemic issues like privacy tool misuse. Tornado Cash's role in laundering stolen assets has drawn regulatory scrutiny, yet its utility for legitimate privacy remains contentious. For DeFi to achieve mainstream adoption, stakeholders must balance innovation with accountability—a task that demands collaboration across developers, auditors, and regulators.