DeFi's Math Crisis: Yearn Recovers $2.4M After $9M Infinite Token Exploit

Generated by AI AgentCoin WorldReviewed byRodder Shi
Monday, Dec 1, 2025 5:50 pm ET1min read
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
Aime RobotAime Summary

- Yearn Finance recovered $2.4M from a $9M exploit exploiting a yETH contract's "unchecked arithmetic" bug, enabling infinite token minting.

- Attackers used self-destructing contracts and Tornado Cash to launder 1,000 ETH and liquid staking tokens, targeting outdated legacy code.

- Yearn confirmed the breach isolated to legacy yETH, with V2/V3 vaults secure, and partnered with security firms to reclaim 857.49 pxETH.

- The incident highlights DeFi's math vulnerabilities, as 2025 hacks have already cost $2.5B, with Yearn launching a $500K bug bounty program.

Yearn Finance, a pioneering decentralized finance (DeFi) protocol, has

recovered approximately $2.4 million in assets
stolen during a recent exploit targeting its legacy yETH stableswap pool. The attack, which
exploited a critical "unchecked arithmetic" bug
in the yETH token contract, allowed the attacker to mint an astronomically large number of tokens-2.3544×10^56 yETH-effectively creating a near-infinite supply to drain liquidity from the protocol. Total estimated losses from the incident approach $9 million, with the recovery mission ongoing.

The exploit, the third to target

Yearn
since 2021,
leveraged a vulnerability in the yETH contract's arithmetic logic
, enabling the attacker to manipulate the token supply and withdraw real assets from liquidity pools. The attacker deployed
self-destructing "helper contracts"
to automate the exploit, a common tactic in complex DeFi attacks. These contracts executed the malicious minting and withdrawal sequence before erasing their code to obscure the trail. The stolen assets included 1,000
ETH
and various liquid staking tokens, which were
partially laundered through the Tornado Cash anonymity service
.

Yearn's

post-mortem analysis confirmed
that the attack was isolated to the legacy yETH product and did not affect its newer V2 or V3 vaults, which hold over $410 million in deposits. The team emphasized that
recovered assets will be returned
to affected depositors, with 857.49 pxETH already reclaimed through collaboration with security firms SEAL 911 and ChainSecurity. The vulnerability,
described as a "high-complexity" flaw
, stemmed from a design oversight in the yETH contract's arithmetic checks.

Market reactions to the exploit were mixed. Yearn's governance token (YFI)

initially dropped 4.4% post-incident
but later spiked to $4,160 amid short-covering and low liquidity. The incident underscores broader challenges in DeFi security, as the attack exploited outdated code in a deprecated product. This
aligns with a trend of hackers targeting legacy contracts
, which often remain active despite being phased out.

The yETH exploit adds to a grim 2025 for DeFi,

with over $2.5 billion lost
to hacks and exploits year-to-date. CertiK's November threat report highlighted $127 million in losses during the month alone, including the $116 million
Balancer
hack, which also stemmed from arithmetic errors
as reported by CryptoNews
. Yearn's incident highlights the risks of complex smart contracts, where even minor miscalculations can lead to catastrophic losses.

Yearn has

paused the affected yETH router
and launched a $500,000 bug bounty program to incentivize further security audits. The team is
working with Chainalysis to monitor the stolen funds
and implement real-time alerts for future minting anomalies. While the protocol's core infrastructure remains secure, the attack serves as a cautionary tale for DeFi projects relying on legacy systems.

Comments



Add a public comment...
No comments

No comments yet