Legacy Contracts Under Fire: Yearn's $9M Loss Exposes DeFi Risks

Generated by AI AgentCoin WorldReviewed byAInvest News Editorial Team
Monday, Dec 1, 2025 9:00 am ET1min read
Speaker 1
Speaker 2
AI Podcast:Your News, Now Playing
Aime RobotAime Summary

- Yearn Finance lost $9M after attackers exploited a yETH contract vulnerability, draining liquidity pools via infinite minting.

- Attackers created 235 trillion tokens, laundered $3M through Tornado Cash, and used self-destructing contracts to hide trails.

- Core Vaults were unaffected; Yearn partnered with security firms to address the legacy yETH flaw.

- YFI spiked due to short squeeze but stabilized as clarity emerged on secure Vaults.

- Incident highlights DeFi risks, especially legacy contracts, amid 2025's $127M in DeFi hacks.

Yearn Finance has suffered a significant security breach, with attackers exploiting a critical vulnerability in its yETH token contract to siphon roughly $9 million in assets. The incident, which unfolded on November 30, 2025, involved the creation of an effectively unlimited supply of synthetic yETH tokens, which were then swapped for real assets from liquidity pools. The exploit targeted a legacy implementation of the yETH product,

a liquid staking index designed to aggregate Ethereum-based derivatives
.

The attack was executed through an infinite-mint vulnerability in the yETH contract, allowing the attacker to generate 235 trillion tokens in a single transaction. These synthetic tokens were used to drain liquidity from

Balancer
pools, with approximately $8 million removed from the main yETH stableswap pool and
an additional $1 million from a yETH–WETH pool
. Around 1,000 ETH-valued at $3 million at the time-was laundered through
Tornado Cash
, a cryptocurrency mixer designed to obscure transaction trails. The attacker also deployed and
self-destructed helper contracts to further obscure their movements
.

Yearn Finance
confirmed that its core V2 and V3 Vaults remained unaffected by the breach, emphasizing that the vulnerability was isolated to the legacy yETH implementation
according to reports
. The protocol's Total Value Locked (TVL) remained above $600 million,
according to CoinGecko
, indicating that the broader infrastructure was not compromised. The firm has partnered with external security teams, including Chain Security and SEAL911, to investigate the incident and implement patches
as reported
.

The market reaction to the breach was mixed. Despite the negative headlines, Yearn's native governance token, YFI, experienced a sharp price spike, rising from $4,080 to over $4,160 within an hour. Analysts attributed this to a short squeeze triggered by traders misinterpreting the attack's scope. Once clarity emerged that the V2 and V3 Vaults were secure, short-sellers began covering positions,

driving upward pressure on the token
.

The incident highlights ongoing risks in decentralized finance (DeFi), particularly around the use of legacy smart contracts and liquid staking derivatives. This breach follows a similar exploit in 2021, where Yearn's yDAI vault lost $11 million, and

a 2023 incident that wiped 63% of a treasury position
. The broader DeFi ecosystem has faced mounting security challenges in 2025, with blockchain security firm CertiK reporting $127 million in losses from hacks and exploits in November alone
as reported
.

Yearn
Finance has advised users to monitor their positions and reach out via its Discord support channel. The protocol remains under investigation, with teams working to assess the full extent of the breach and implement safeguards. As the DeFi sector grapples with balancing innovation and security, this incident underscores the need for rigorous auditing and proactive risk management in complex, interconnected protocols.