Ethereum News Today: DeFi's Ghost Contracts Drain $9M from Yearn's Legacy System

Generated by AI AgentCoin WorldReviewed byAInvest News Editorial Team
Monday, Dec 1, 2025 1:25 am ET2min read
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
Aime RobotAime Summary

- Yearn Finance lost $9M in 2025 after hackers exploited a legacy yETH contract vulnerability, minting 235 trillion tokens to drain liquidity pools.

- Attackers laundered $3M via Tornado Cash while $6M remains in their wallet, highlighting DeFi's persistent smart contract security risks.

- Yearn isolated the breach to deprecated contracts, deployed v1.1 patches, and offered $500K bounties to address systemic "ghost contract" vulnerabilities.

- The incident aligns with $127M+ in DeFi hacks in 2025, underscoring urgent needs for real-time monitoring and improved token security protocols.

Yearn Finance, a leading decentralized finance (DeFi) platform, suffered a $9 million exploit on November 30, 2025, after a hacker exploited a vulnerability in its legacy yETH token contract. The attack involved minting an unlimited number of yETH tokens, draining liquidity pools, and funneling

$3 million in stolen Ethereum (ETH) through the Tornado Cash mixer
, a privacy tool designed to obscure transaction trails. The incident highlights ongoing security challenges in the DeFi sector, where complex smart contract ecosystems remain vulnerable to sophisticated exploits.

The exploit targeted a stableswap pool linked to yETH, a liquid staking derivative index token. Attackers deployed helper contracts that

self-destructed post-transaction
, a common tactic to evade attribution. By minting 235 trillion yETH tokens in a single call—far exceeding the protocol's intended limits—the hacker drained
Balancer
and Curve pools, converting the tokens into real
ETH
and staked derivatives. Over 1,000 ETH ($3 million) was subsequently sent to
Tornado Cash
, with the remaining $6 million in mixed assets still held in the attacker's wallet
according to reports
.

Yearn Finance's response emphasized that its active V2 and V3 Vaults remained unaffected, a critical distinction for users. The platform confirmed the breach was isolated to a deprecated yETH contract, a product it had moved away from in favor of newer liquid staking models. This "legacy contract" issue
is not unique to Yearn
; numerous DeFi protocols retain outdated smart contracts with residual liquidity, creating exploitable blind spots. The company has since paused the router, deployed a patched v1.1 contract, and launched a $500,000 bug bounty to incentivize further security audits
according to security reports
.

The attack underscores a broader pattern in DeFi security. CertiK's November 2025 threat report revealed $127 million in losses from hacks and scams, with Balancer's $116 million exploit being the most significant. These incidents reflect the sector's struggle to balance innovation with robust safeguards. While Yearn's governance token (YFI) dipped 4.4% post-attack, the firm's track record of recovering from prior breaches—such as the 2021 yDAI exploit and 2023 treasury drain—suggests resilience. A proposed $3.2 million reimbursement via a

USDC
Merkle drop is under consideration, though no formal plan has been announced
according to Yearn's official statement
.

Industry experts stress the need for proactive measures. The yETH exploit exemplifies how deprecated contracts, if not properly decommissioned, can become "ghost contracts" with real financial consequences. Enhanced audit protocols, real-time monitoring, and improved token security APIs are increasingly critical. Platforms like GoPlus,

which reported $4.7 million in 2025 revenue from security tools
, are gaining traction as DeFi actors prioritize risk mitigation.

As the sector matures, the challenge lies in addressing both technical vulnerabilities and systemic issues like privacy tool misuse. Tornado Cash's role in laundering stolen assets has drawn regulatory scrutiny, yet its utility for legitimate privacy remains contentious. For DeFi to achieve mainstream adoption, stakeholders must balance innovation with accountability—a task that demands collaboration across developers, auditors, and regulators.