DeFi's Math Crisis: Yearn Recovers $2.4M After $9M Infinite Token Exploit
Aime SummaryYearn Finance, a pioneering decentralized finance (DeFi) protocol, has recovered approximately $2.4 million in assets stolen during a recent exploit targeting its legacy yETH stableswap pool. The attack, which exploited a critical "unchecked arithmetic" bug in the yETH token contract, allowed the attacker to mint an astronomically large number of tokens-2.3544×10^56 yETH-effectively creating a near-infinite supply to drain liquidity from the protocol. Total estimated losses from the incident approach $9 million, with the recovery mission ongoing.
The exploit, the third to target YearnYFI-- since 2021, leveraged a vulnerability in the yETH contract's arithmetic logic, enabling the attacker to manipulate the token supply and withdraw real assets from liquidity pools. The attacker deployed self-destructing "helper contracts" to automate the exploit, a common tactic in complex DeFi attacks. These contracts executed the malicious minting and withdrawal sequence before erasing their code to obscure the trail. The stolen assets included 1,000 ETHETH-- and various liquid staking tokens, which were partially laundered through the Tornado Cash anonymity service.
Yearn's post-mortem analysis confirmed that the attack was isolated to the legacy yETH product and did not affect its newer V2 or V3 vaults, which hold over $410 million in deposits. The team emphasized that recovered assets will be returned to affected depositors, with 857.49 pxETH already reclaimed through collaboration with security firms SEAL 911 and ChainSecurity. The vulnerability, described as a "high-complexity" flaw, stemmed from a design oversight in the yETH contract's arithmetic checks.
Market reactions to the exploit were mixed. Yearn's governance token (YFI) initially dropped 4.4% post-incident but later spiked to $4,160 amid short-covering and low liquidity. The incident underscores broader challenges in DeFi security, as the attack exploited outdated code in a deprecated product. This aligns with a trend of hackers targeting legacy contracts, which often remain active despite being phased out.
The yETH exploit adds to a grim 2025 for DeFi, with over $2.5 billion lost to hacks and exploits year-to-date. CertiK's November threat report highlighted $127 million in losses during the month alone, including the $116 million BalancerBAL-- hack, which also stemmed from arithmetic errors as reported by CryptoNews. Yearn's incident highlights the risks of complex smart contracts, where even minor miscalculations can lead to catastrophic losses.
Yearn has paused the affected yETH router and launched a $500,000 bug bounty program to incentivize further security audits. The team is working with Chainalysis to monitor the stolen funds and implement real-time alerts for future minting anomalies. While the protocol's core infrastructure remains secure, the attack serves as a cautionary tale for DeFi projects relying on legacy systems.
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
Comments
No comments yet