Legacy Contract Math Flaw Enables $9M DeFi Heist, Yearn Recovers $2.4M

Generated by AI AgentCoin WorldReviewed byAInvest News Editorial Team
Tuesday, Dec 2, 2025 3:40 am ET2min read
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
Aime RobotAime Summary

- Yearn Finance recovered $2.4M of $9M lost in a yETH stableswap pool exploit via partners Plume and Dinero.

- Attackers exploited a math flaw in legacy yETH contracts to mint infinite tokens and drain liquidity pools.

- The breach highlighted DeFi security risks, with experts urging retirement of legacy contracts and improved auditing.

- YFI token saw short-term volatility as traders misinterpreted the attack's scope before reversing positions.

- Incident adds to $127M+ in DeFi hacks in November 2025, emphasizing evolving sophistication of cyber threats.

Yearn Finance has recovered $2.4 million of the $9 million lost in a recent exploit targeting its yETH stableswap pool, marking a partial but significant step in mitigating the damage from one of the most complex DeFi breaches of 2025. The recovery, coordinated with partners Plume and Dinero, involved reclaiming 857.49 pxETH tokens, which will be returned to affected depositors as investigations into the broader incident continue [according to reports](https://www.bitget.com/amp/news/detail/12560605091061). The exploit, which occurred on November 30 at 21:11 UTC, exploited a subtle arithmetic flaw in Yearn's legacy yETH contract, enabling an attacker to mint an effectively infinite number of yETH tokens and drain liquidity from two pools—approximately $8 million from the yETH stableswap pool and $900,000 from the yETH-WETH pool on Curve [according to analysis](https://coincentral.com/yearn-finance-yeth-exploited-for-3-million-in-unlimited-minting-attack/).

The vulnerability stemmed from a critical error in the smart contract's calculation logic, where a missing division operation caused the virtual balance product (vb_prod) to inflate uncontrollably. This allowed the attacker to manipulate the protocol's accounting system and extract real assets without permission [as data shows](https://www.cointribune.com/en/yearn-finance-a-flaw-in-the-yeth-contract-allows-a-hacker-to-drain-millions/). The exploit was executed in a single transaction, with the attacker deploying temporary helper contracts to obscure their trail before self-destructing them. Around 1,000 ETH, valued at $3 million, was laundered through

Tornado Cash
, a privacy-focused mixer, complicating full recovery efforts [according to reports](https://coincentral.com/yearn-finance-yeth-exploited-for-3-million-in-unlimited-minting-attack/).

Yearn emphasized that its V2 and V3 vaults, which hold over $600 million in total value locked, remained unaffected by the breach, as the vulnerability was isolated to the legacy yETH implementation [according to reports](https://www.cryptotimes.io/2025/12/02/yearn-finance-recovers-2-4m-after-9m-yeth-exploit-shakes-defi/). The protocol's swift response, including collaboration with security firms SEAL 911 and ChainSecurity, helped neutralize the attacker's remaining pxETH positions and redirect assets back to the protocol [according to updates](https://crypto.news/yearn-finance-recovers-2-4m-yeth-exploit-2025/). Despite the partial success, the incident underscores the persistent risks in DeFi, where even audited platforms can harbor undetected flaws. The attack mirrors similar exploits on Balancer and Curve in recent years, highlighting the dangers of legacy contracts and complex mathematical logic in smart contracts [as analysis shows](https://www.cointribune.com/en/yearn-finance-a-flaw-in-the-yeth-contract-allows-a-hacker-to-drain-millions/).

The breach also triggered a short-term price spike for Yearn's governance token, YFI, which surged from $4,080 to $4,160 due to a market misinterpretation of the attack's scope. Traders initially shorted YFI, only to reverse positions when it became clear that the exploit did not compromise core vaults [as data indicates](https://beincrypto.com/yearn-finance-yeth-exploit-drains-millions/). This volatility exposed the token's illiquidity, a recurring issue for DeFi governance assets with low circulating supplies [according to analysis](https://www.cryptotimes.io/2025/12/02/yearn-finance-recovers-2-4m-after-9m-yeth-exploit-shakes-defi/).

Industry experts warn that such incidents will continue to

test
the resilience of DeFi protocols as attackers increasingly employ multi-step strategies involving self-destructing contracts and privacy tools. The yETH exploit adds to a grim year for DeFi security, with over $127 million lost to hacks in November 2025 alone [according to reports](https://www.cryptopolitan.com/yearn-finances-yeth-pool-exploited/). Analysts stress the need for protocols to retire legacy contracts, adopt more rigorous auditing practices, and prioritize mathematical rigor over gas efficiency in smart contract design [as data shows](https://www.cointribune.com/en/yearn-finance-a-flaw-in-the-yeth-contract-allows-a-hacker-to-drain-millions/).

Yearn Finance has pledged to release a full post-mortem once audit partners finalize their review, while ongoing recovery efforts focus on tracing remaining assets linked to the attacker's wallets. The incident serves as a stark reminder of the evolving sophistication of DeFi threats, even as the industry's innovation and decentralization continue to attract both users and malicious actors [according to updates](https://crypto.news/yearn-finance-recovers-2-4m-yeth-exploit-2025/).