Context and Introduction

Yearn Finance is one of DeFi’s flagship yield aggregators, routing deposits into strategies across lending markets, AMMs, and other on-chain yield sources. Its model leans heavily on composability, building on top of protocols like Curve, Balancer, and liquid staking platforms.

On November 30, 2025, that composability backfired. A legacy component of Yearn’s ecosystem-the yETH liquid staking token (LST) product-was hit by an “infinite-mint” exploit. The attacker minted roughly 235 trillion yETH tokens in a single transaction, then used those unbacked tokens to drain actual assets from Balancer and Curve liquidity pools.

Roughly $9 million was stolen across affected pools, including about $2.8 million in ETH and LSTs from Balancer. Around 1,000 ETH was laundered through Tornado Cash via self-destructing helper contracts, while the attacker held on to a diversified portfolio of LST derivatives.

Yearn’s core V2 and V3 vaults were not affected. Protocol TVL stayed above $600 million, with a 24-hour drawdown from roughly $432 million to $410 million. The YFI governance token briefly spiked around the time of the incident before settling lower, a move shaped by both confusion and thin liquidity.

What follows is an analysis of how the exploit worked, who was hit, how Yearn responded, and what this episode says about DeFi security, composability, and market behavior.

1. Fundamentals: Yearn Finance and the yETH Product

1.1 Yearn’s Core Value Proposition

Yearn Finance is a yield aggregator: users deposit assets into “vaults,” which deploy capital into on-chain strategies-lending, liquidity provision, staking, and more-to maximize risk-adjusted returns.

Key characteristics:

  • Automated strategy management: Vaults rebalance and harvest yields on-chain.
  • Composability: Strategies build on Curve, Balancer, LST issuers, and other DeFi protocols.
  • Capital efficiency: Aggregated deposits enable access to strategies that might be uneconomical for smaller users.

Yearn’s vault architecture has evolved:

  • V1 vaults: Early, more monolithic design.
  • V2 vaults: Improved modularity, risk controls, and strategy separation.
  • V3 vaults: Further separation of concerns and updated security assumptions.

The exploit did not touch these newer vaults. It hit a legacy yETH implementation with custom stableswap logic that diverged from the main, hardened codebase.

1.2 What Was yETH?

The yETH product was a legacy LST index-style product built around a stableswap-like pool.

Core features:

  • Underlying assets: A basket of LSTs and ETH-derivative assets, including:
    • stETH (Lido)
    • rETH (Rocket Pool)
    • Other LSTs such as pXETH, fXETH, cbETH, tETH (visible in the attacker’s holdings)
  • Mechanism: Users deposited LSTs into a stableswap pool and received yETH, representing a claim on the underlying basket.
  • Goal: One-token exposure to diversified Ethereum staking yields across multiple providers.

Crucially, yETH used custom stableswap code, separate from the battle-tested V2/V3 vault codebase. That divergence in code quality and audit coverage explains why yETH, and not the rest of Yearn, was compromised.

2. The Exploit: Infinite Mint and Liquidity Drain

2.1 High-Level Overview

On November 30, 2025, at around 21:11 UTC, an attacker executed a targeted exploit against the yETH product:

  • Infinite mint: A bug in the yETH token contract’s minting logic allowed the attacker to mint roughly 235 trillion yETH in a single transaction.
  • Liquidity drain: The attacker swapped these unbacked yETH into Balancer and Curve pools for real assets-ETH and multiple LSTs.
  • Total losses: Around $9 million:
    • ~$8 million from the primary yETH stableswap pool.
    • ~$0.9 million from a yETH–WETH Curve pool.
  • Laundering: About 1,000 ETH (~$3 million) was laundered through Tornado Cash. The rest (~$6 million) remained in a basket of LSTs.

On-chain analysts spotted the attack quickly, and Yearn confirmed it was limited to the legacy yETH implementation.

2.2 The Infinite-Mint Vulnerability

The core issue was in the yETH token minting logic:

  • No effective supply constraint: The contract allowed new yETH to be minted without:
    • Proper collateral checks,
    • Robust authorization,
    • Meaningful supply limits.
  • Broken economic invariants: Minting should be tightly coupled to new collateral deposits or controlled governance actions. Here, it wasn’t.
  • Legacy code path: The bug lived in a legacy yETH path with custom stableswap modifications, not in the standard vault framework.

The attacker’s path:

  1. Call the mint function through a helper contract.
  2. Bypass meaningful checks.
  3. Mint an enormous amount of yETH in one atomic transaction.

Because Balancer and Curve price assets based on pool balances, not global supply caps, they treated the attacker’s yETH as fully valid.

2.3 Draining the Pools: AMM Mechanics

The attacker then weaponized AMM pricing:

  • Balancer and Curve price tokens via deterministic formulas based on pool balances.
  • Flooding the pools with yETH:
    • Crashed yETH’s relative price in the pools,
    • But still allowed swaps of yETH for ETH and LSTs at economically meaningful rates.

Sequence:

  1. Mint ~235 trillion yETH.
  2. Deposit yETH into Balancer and Curve pools that held:
    • yETH
    • WETH / ETH
    • Various LSTs.
  3. Swap yETH for the other assets, draining:
    • ETH
    • stETH, rETH, and other LST derivatives.
  4. Withdraw with real assets in hand.

The AMMs had no way to distinguish “legitimate” from “illegitimate” yETH. On-chain, it was just a very large trader.

2.4 Operational Sophistication: Helper Contracts and Self-Destruct

The attacker’s execution showed high operational discipline:

  • Helper contracts:
    • Custom contracts orchestrated minting and swapping.
    • Logic was packed into tightly controlled, atomic calls.
  • Self-destruct pattern:
    • After use, helper contracts invoked selfdestruct, wiping their bytecode.
    • This complicates forensic analysis and obscures implementation details.
  • Single-transaction core exploit:
    • The mint-and-drain happened within one transaction.
    • That left no practical window for:
      • Mempool monitors to respond,
      • Admins to pause contracts,
      • On-chain circuit breakers to fire.

The combination of a subtle logic bug, precise orchestration, and immediate cleanup points to a well-prepared, technically skilled attacker.

3. Timeline and Immediate Response

3.1 Attack Timeline

  • November 30, 2025 – ~21:11 UTC:
    • Exploit transaction executed.
    • ~235 trillion yETH minted.
    • Balancer and Curve pools begin to be drained.
  • Shortly after:
    • On-chain analysts flag abnormal activity in yETH-related pools.
    • Security firms begin publicly tagging the exploit.
  • Within hours:
    • The attacker starts laundering funds via Tornado Cash, sending about 1,000 ETH in 100 ETH chunks.

3.2 Yearn’s Public Communication

Yearn’s public messaging focused on scope and containment:

  • Announcements on X confirmed:
    • An incident involving the yETH LST stableswap pool.
    • V2 and V3 vaults were unaffected.
    • yCRV and other Yearn vaults remained secure.
  • The team stressed that:
    • The exploit was confined to legacy yETH code.
    • They were working with security partners to assess losses and support affected LPs.

From exploit to clear public explanation, the window was on the order of a day-relatively quick given the complexity.

3.3 Containment and Forensics

Yearn’s immediate priorities:

  • Isolate the vulnerable component:
    • Disable or deprecate affected yETH contracts.
    • Block further minting or swapping via the compromised path.
  • Coordinate with integrated protocols:
    • Balancer and Curve, whose pools were drained.
    • Any other protocols with yETH exposure.
  • Engage security firms:
    • Produce a detailed post-mortem.
    • Scan for similar issues in other legacy components.
  • Monitor attacker wallets:
    • Track LST holdings and any further laundering.

4. Fund Flows and Attacker Portfolio

4.1 Loss Breakdown and Attacker Proceeds

Summary of the economic impact:

  • Estimated total loss: ~$9 million
    • ~$8 million from the main yETH stableswap pool.
    • ~$0.9 million from the yETH–WETH Curve pool.
  • Pre-attack yETH pool value: ~$11 million in liquidity.
  • Attacker’s post-attack position:
    • ~1,000 ETH (~$3 million) laundered through Tornado Cash.
    • ~$6 million in LST derivatives retained in attacker-controlled wallets.

4.2 Laundering via Tornado Cash

The laundering pattern was textbook:

  • Chunked transfers:
    • 1,000 ETH split into multiple 100 ETH deposits.
    • Each sent through Tornado Cash.
  • Motivation:
    • Avoid a single, obvious large transfer.
    • Blend into common mixer transaction sizes.
  • Effect:
    • Makes it far harder to trace the path from exploit address to eventual off-ramps.

4.3 Retained LST Portfolio

The attacker held a diversified LST basket, including:

  • pXETH (Dinero’s liquid ETH wrapper)
  • fXETH (Finality’s wrapped ETH)
  • stETH (Lido)
  • cbETH (Coinbase’s staking token)
  • tETH and other variants

Approximate value breakdown:

  • ~857.49 pXETH (~$2.47M)
  • ~742.63 fXETH (~$2.10M)
  • Additional amounts of stETH, cbETH, tETH, and others making up the balance.

This suggests:

  • Familiarity with the LST landscape.
  • An intent to:
    • Keep exposure to ETH staking yields.
    • Avoid a single outsized concentration in one token.
  • Likely plans to unwind slowly via multiple venues over time.

5. On-Chain and Market Metrics

5.1 Key Metrics Snapshot

MetricValueNotes
Total loss estimate~$9 millionAcross Balancer + Curve pools
Primary pool drain~$8 millionyETH stableswap pool
Secondary pool drain~$0.9 millionyETH–WETH Curve pool
Minted yETH supply~235 trillion tokensMinted in a single transaction
ETH sent to Tornado Cash1,000 ETH (~$3 million)Laundered in 100 ETH chunks
Attacker retained assets~$6 millionMostly LST derivatives
yETH pool pre-attack value~$11 millionTotal liquidity
Protocol TVL pre-incident~$432 millionApproximate TVL before exploit
Protocol TVL post-incident (24h)~$410 million~$22M (5.1%) decline
Protocol TVL (all-time peak)$6.7 billionNovember 2021 peak
YFI token price pre-attack~$4,080Before initial reports
YFI token price intraday spike~$4,160Brief spike during announcement confusion
YFI token price after clarification~$3,900 (approx.)Post-incident trading level
YFI circulating supply33,984 tokensExtremely low float
YFI market cap (around incident)~$132.6 millionPrice × circulating supply
YFI drawdown from ATH-95.8%ATH of $90,787

5.2 TVL Dynamics: Contained but Noticeable

TVL is a useful proxy for user confidence:

  • Drop: From ~$432M to ~$410M (about 5.1%) over 24 hours.
  • Context:
    • The stolen ~$9M is just over 2% of pre-incident TVL.
    • The ~$22M net TVL decline implies:
      • Direct losses plus some precautionary withdrawals.
      • No broad exit from Yearn.

Users clearly distinguished between:

  • A legacy yETH failure, and
  • The core V2/V3 vault stack, which ran as normal.

5.3 YFI Price Behavior: Volatility and Thin Liquidity

YFI’s trading around the event was noisy:

  • Initial spike:
    • From roughly $4,080 to $4,160 (+2%) as headlines appeared.
  • Subsequent pullback:
    • Settled closer to ~$3,900 once details were clearer.
  • Drivers:
    • Confusion: Early framing as a “Yearn exploit” without product-specific nuance.
    • Low float: With only 33,984 tokens circulating, modest flows can move price.
    • Thin order books: Fragmented liquidity amplifies intraday swings.

In level terms, YFI stays far below its $90,787 ATH, in line with the broader repricing of DeFi governance tokens.

6. Positioning and Comparisons: Yearn vs. DeFi Peers

6.1 Yearn’s Role in the DeFi Stack

Yearn operates as:

  • An aggregator, not a base-layer protocol:
    • It sits on top of Curve, Balancer, LST issuers, and others.
    • Its risk profile is inherently compositional-it inherits and amplifies partner risks.
  • A strategy platform:
    • Value comes from strategy design, smart contract security, and governance.

The yETH exploit underscores the tension between:

  • Innovation and composability (new products, LST indices),
  • Security and maintainability (legacy code, divergent branches).

6.2 Comparison with Other Exploited Protocols

The exploit landed in a DeFi environment already marked by major incidents, including:

  • Balancer V2 exploit (November 2025):
    • ~$128.64 million drained via an arithmetic precision bug.
    • Demonstrated that even widely respected, audited AMMs can harbor subtle flaws.
  • Previous Yearn incidents:
    • A 2021 exploit of the v1 yDAI vault (~$2.8M loss).
    • At least one additional major event, making yETH the third significant hack affecting Yearn products since 2021.

Patterns:

  • Issues cluster in:
    • Older vault generations (v1),
    • Legacy products (yETH) with custom logic.
  • Newer V2/V3 architectures have, so far, avoided comparable failures, but older components still live in the system’s shadow.

6.3 Competitive Landscape

Yearn’s peers include:

  • Other yield aggregators,
  • Protocols offering LST index products,
  • Platforms for automated strategy execution.

Yearn’s position:

  • Strengths:
    • Strong brand recognition.
    • Deep integration with major DeFi building blocks.
    • Established governance and community.
  • Weaknesses:
    • Surface area from legacy contracts.
    • A history of exploits concentrated in older components.
    • Complexity that makes end-to-end auditing challenging.

7. Scope of Compromise: What Was and Was Not Affected

7.1 Affected Components

The impact was narrow in scope but deep for those exposed:

  • Compromised:
    • Legacy yETH LST stableswap pool implementation.
    • Balancer and Curve pools holding:
      • yETH
      • WETH / ETH
      • LSTs paired against yETH.
  • Affected users:
    • LPs in:
      • The primary yETH stableswap pool (~$8M loss).
      • The yETH–WETH Curve pool (~$0.9M loss).

Many of these LPs lost most or all of their deposited value.

7.2 Unaffected Systems

Yearn and external researchers confirmed that other components were not compromised:

  • Yearn V2 vaults: Unaffected.
  • Yearn V3 vaults: Unaffected.
  • yCRV product: Unaffected.
  • Other vault strategies: No evidence of contagion.

Reasons:

  • yETH used separate contracts with distinct logic.
  • The infinite-mint bug was local to yETH, not a structural issue in Yearn’s main vault framework.

This isolation prevented a broader systemic failure.

8. Historical Context: Yearn’s Security Track Record

8.1 Prior Incidents

The yETH exploit fits into a longer security story:

  • 2021 yDAI v1 exploit:
    • Unknown attacker exploited the v1 yDAI vault.
    • Roughly $2.8 million stolen.
  • Additional major incident(s):
    • yETH is described as the third major hack affecting Yearn products since 2021.

The pattern is consistent:

  • Vulnerabilities tend to sit in:
    • Older vaults,
    • Legacy products with custom or diverged code.
  • Recent-generation vaults have a cleaner record, but legacy risk remains part of Yearn’s footprint.

8.2 TVL and Valuation Over Time

Macro trajectory:

  • TVL peak: ~$6.7B in November 2021.
  • TVL at yETH exploit: ~$432M pre-incident; ~$410M 24 hours after.
  • YFI price:
    • ATH: $90,787.
    • Around incident: ~$4,000 (about -95.8% from ATH).

This reflects:

  • The broader DeFi bear market and repricing of governance tokens.
  • Growing competition in yield aggregation and structured products.
  • The overhang of security concerns for protocols with multiple historical exploits.

9. Market Resilience and Investor Behavior

9.1 TVL Resilience

Despite the incident:

  • TVL stayed well above $400M.
  • The ~$22M net outflow was modest relative to:
    • Historical TVL,
    • The direct ~$9M loss.

Implication:

  • Users largely saw this as a product-specific failure (yETH), not a reason to abandon the core vaults.

9.2 YFI Market Reaction

YFI’s behavior fits its historical profile:

  • Short-term noise:
    • Initial spike likely from:
      • Short covering,
      • Thin liquidity,
      • Headline-driven trading.
  • After clarity:
    • Price drifted lower but without a collapse, reflecting:
      • Recognition that losses were limited,
      • Yet another addition to Yearn’s security narrative.

Given YFI’s low float and volatility, this profile is unsurprising.

9.3 Confidence in DeFi Composability

The muted systemic reaction points to a more discriminating market:

  • Investors increasingly separate:
    • Core protocol risk from peripheral product risk.
    • Isolated exploits from structural failures.
  • What matters most:
    • Scope of damage,
    • Containment,
    • Quality of the response.

In this case, markets appear to have judged the exploit serious but non-existential for Yearn.

10. Risk Analysis and Negative Scenarios

10.1 Technical Risks

Key technical risks highlighted:

  • Legacy code:
    • Custom, older products can:
      • Drift away from active maintenance,
      • Miss modern audit cycles,
      • Accumulate hidden vulnerabilities.
  • Infinite-mint bugs:
    • Failures in mint/burn logic are catastrophic:
      • They allow unbounded claims on real assets.
      • They can be weaponized quickly via AMMs and money markets.
  • Composability risk:
    • Using external protocols as building blocks means:
      • A bug in one (yETH) can cause losses in others (Balancer, Curve).
      • Cross-protocol interactions are harder to fully model.

10.2 Economic and Liquidity Risks

  • Liquidity fragmentation:
    • Tokens like YFI trade thinly, making prices more volatile and manipulable.
  • LST concentration:
    • LST-driven strategies bundle exposure to:
      • Ethereum staking itself,
      • Specific LST issuers (Lido, Rocket Pool, Coinbase, etc.).
  • Correlated shocks:
    • A major incident in a leading LST could:
      • Hit Yearn’s LST strategies,
      • Trigger liquidations, TVL outflows, or both.

10.3 Governance and Operational Risks

  • Slow retirement of legacy products:
    • Keeping older contracts live without:
      • Ongoing audits,
      • Refactors,
      • Clear risk flags, creates latent systemic risk.
  • Incident response capacity:
    • Future events might:
      • Be more complex,
      • Coincide with market stress,
      • Strain governance and communication.

10.4 Regulatory and Compliance Risks

  • Use of Tornado Cash:
    • The laundering route underscores:
      • Regulatory scrutiny of on-chain privacy tools,
      • Potential follow-on pressure on protocols repeatedly entangled in exploits.
  • Rising expectations:
    • As institutional participation increases, regulators may:
      • Push for higher security standards,
      • Require audits and disclosures,
      • Look more closely at governance-token accountability.

11. Scenario Analysis: Bull, Base, and Bear Cases

These scenarios outline paths forward for Yearn post-exploit. They are qualitative, not price targets.

11.1 Scenario Table

ScenarioDescriptionKey DriversImplications for Yearn
BullExploit triggers a security overhaul, renewed trust, and product innovation.Strong post-mortem, fast deprecation of legacy code, upgraded audits, constructive DeFi macro.TVL stabilizes or grows; YFI governance stays relevant; Yearn remains a leading aggregator.
BaseIncident is absorbed as a localized setback; Yearn makes incremental improvements.Targeted security fixes, gradual confidence recovery, neutral macro backdrop.TVL holds in the mid-hundreds of millions; YFI remains a niche governance asset; legacy risk declines slowly.
BearConfidence in Yearn’s security culture erodes, driving sustained outflows.Additional vulnerabilities, slower or opaque responses, adverse macro or regulatory headwinds.TVL shrinks materially; YFI liquidity and influence wane; Yearn cedes ground to newer competitors.

11.2 Bull Case: Security-Driven Renewal

Under a constructive trajectory:

  • Technical response:
    • Full audit sweep of legacy code.
    • Aggressive deprecation of products like yETH.
    • Consolidation around V2/V3 design patterns.
  • Governance and communication:
    • Transparent post-mortem and remediation plan.
    • Strong incentives for security contributors and white hats.
  • Market impact:
    • Users treat the exploit as a stress test that Yearn passes through effective response.
    • TVL recovers as confidence in the core vaults persists.
  • Positioning:
    • Yearn leans into its “battle-tested” status as a key DeFi aggregator.

11.3 Base Case: Incremental Improvement

In a middle path:

  • Technical steps:
    • yETH is patched or retired.
    • Some legacy components are reviewed; others linger.
  • User behavior:
    • A subset of LPs exits; most stay.
    • TVL tracks broader DeFi conditions.
  • Narrative:
    • The exploit is one of many DeFi hacks, not uniquely defining Yearn.
    • Security is acceptable but not a standout advantage.
  • Competition:
    • Yearn retains a loyal core but loses some mindshare in newer product categories.

11.4 Bear Case: Confidence Erosion

In a negative trajectory:

  • Further incidents:
    • Additional bugs surface in other legacy strategies.
    • Even smaller losses reinforce a perception problem.
  • User exodus:
    • TVL migrates toward protocols perceived as safer or simpler.
  • Governance strain:
    • Coordination around upgrades and deprecations becomes contentious.
  • Regulatory overhang:
    • Multiple exploits draw heightened scrutiny and dampen institutional interest.

The realized path will hinge on Yearn’s technical, governance, and communication choices, plus the broader DeFi environment.

12. Lessons for DeFi Security and Composability

The yETH exploit offers several clear takeaways for builders and users.

12.1 Legacy Code Is a First-Class Risk

  • Age does not equal safety:
    • Long-lived contracts can avoid incidents by luck as much as by design.
    • Legacy products:
      • May lack modern safeguards,
      • Often fall out of regular audit cycles,
      • Drift away from mainline code.
  • Practical steps:
    • Maintain an explicit registry of legacy components.
    • Periodically decide whether to:
      • Upgrade,
      • Sunset,
      • Or wrap them in additional controls.

12.2 Infinite-Mint and Supply Invariants

  • Mint/burn logic must be inviolable:
    • Tokens with mint capabilities need:
      • Clear, enforceable invariants,
      • Strict role and access controls,
      • Thorough testing, including edge cases.
  • Audit focus:
    • Treat supply and accounting functions as high-risk zones.
    • Use formal methods where practical.

12.3 Composability Demands End-to-End Thinking

  • Risk is transitive:
    • A bug in yETH propagated to Balancer and Curve, and indirectly to LST holders.
  • End-to-end modeling:
    • Contracts shouldn’t be evaluated in isolation.
    • Design and audits should:
      • Consider cross-protocol interactions,
      • Model worst-case scenarios across integrations.

12.4 Market Maturity and Incident Management

  • Exploits are part of the landscape in fast-moving DeFi.
  • What differentiates protocols is:
    • Speed and clarity of communication,
    • Effectiveness of containment,
    • Follow-through on fixes.
  • The modest TVL reaction here suggests a more nuanced market:
    • Users judge protocols on the quality of their response, not just on the presence of exploits.

13. Conclusion

The November 30, 2025 yETH infinite-mint exploit was a serious, yet contained, hit to Yearn Finance. A critical bug in a legacy yETH implementation let an attacker mint roughly 235 trillion yETH and drain around $9 million from Balancer and Curve pools, including about $2.8 million in ETH and LSTs from Balancer.

Yearn’s core V2 and V3 vaults, yCRV, and other primary products were not affected. TVL declined only modestly, and YFI’s price reaction, while volatile, was limited by the incident’s scope rather than defined by panic.

The episode reinforces several themes: legacy code is dangerous when left to drift; minting and supply invariants are non-negotiable; and composability, while powerful, carries transitive risk that must be modeled end to end. It also shows a more mature DeFi market, able to distinguish between a flawed product and a failing protocol.

Whether this becomes a turning point for Yearn’s security culture or just another entry in DeFi’s long list of exploits will depend on what the protocol does next: how aggressively it retires legacy components, how it hardens its edges, and how it communicates those changes to the users whose capital it stewards.