Legacy Code Flaw Enables $9M DeFi Heist, Exposing Sector's Vulnerabilities
Aime SummaryYearn Finance, a prominent decentralized finance (DeFi) platform, suffered a $9 million loss on November 30, 2025, after a hacker exploited a vulnerability in its yETH token pool, minting near-infinite tokens to drain liquidity pools in a single transaction. The attack targeted a legacy yETH stableswap pool, allowing the perpetrator to generate approximately 235 trillion yETH tokens - effectively an infinite supply - and extract real assets such as ETHETH-- and liquid staking derivatives from BalancerBAL-- and Curve pools. The stolen funds included $3 million in ETH routed through Tornado CashTORN--, a privacy-focused mixer, while an additional $6 million remained in the attacker's wallet. Yearn FinanceYFI-- confirmed that its newer V2 and V3 vaults were unaffected, emphasizing that the breach was isolated to the yETH product.
The exploit exploited outdated smart contract logic in the yETH pool, which failed to properly validate token minting conditions. Attackers deployed and later self-destructed helper contracts to obscure their on-chain footprint, a tactic observed in prior DeFi breaches. Blockchain security firm PeckShield noted that the vulnerability stemmed from "faulty invariants and rate-update logic" in the yETH contract. 
The incident follows a broader trend of DeFi exploits in 2025, with the sector losing over $127 million to hacks and scams in November alone, including a $116 million Balancer cross-chain attack.
Yearn Finance's response included halting the affected yETH pool and collaborating with auditors to identify the root cause. The platform's co-founder, Andre Cronje, highlighted the risks of legacy code, vowing to audit pre-2023 contracts and implement safeguards to prevent future incidents. Despite assurances, the breach triggered a short-lived spike in YFI , Yearn's governance token, which briefly rose from $4,080 to $4,160 due to liquidity imbalances and short-covering. The token's thin market and low circulating supply amplified volatility during the incident.
The attack underscores persistent challenges in DeFi security, where complex smart contracts and composability create attack vectors. Experts stress the need for rigorous audits, sunset clauses for legacy contracts, and hybrid on-chain/off-chain verification systems to mitigate risks. For users, the incident serves as a cautionary tale about the trade-offs between high-yield opportunities and protocol vulnerabilities. Yearn's transparency in disclosing the breach and its commitment to post-incident analysis may help rebuild trust, but the event reinforces the sector's susceptibility to sophisticated exploits.
Stay ahead of the market.
Get curated U.S. market news, insights and key dates delivered to your inbox.
Comments
No comments yet