Yearn Finance suffered a theft that caused a loss of nearly $9 million after an exploit that manipulated the yETH token contract. The attack began when the attackers identified a critical bug that allowed them to mint yETH without posting collateral and use that artificial supply to drain liquidity from an external pool.
At 21:11 UTC on Nov 30, an incident occurred involving the yETH stableswap pool that resulted in the minting of a large amount of yETH. The contract impacted is a custom version of popular stableswap code, unrelated to other Yearn products. Yearn V2/V3 vaults are not at risk.
— yearn (@yearnfi) December 1, 2025
The incident hit a contract designed to aggregate stETH and rETH, operating outside Yearnās core vault infrastructure. The attackers moved more than $3 million in ETH to Tornado Cash and retain roughly $6 million in staking derivatives in a single address. The protocol reported that the failure impacted a yETH-WETH Curve stableswap pool for $0.9 million and an additional custom contract for $8 million. The team has opened a war room with SEAL911 and Chain Security to review the technical vector and isolate the full scope of the impact. The yUSND and Nerite vaults remain secure.
Yearn will share mitigation measures once the full analysis is complete, which includes examining potential similarities to other recent exploits tied to precision errors and internal calculations in liquidity contracts
Source: https://x.com/yearnfi/status/1995344733154250993
Disclaimer:Ā Crypto Economy Flash News are based on verified public and official sources. Their purpose is to provide fast, factual updates about relevant events in the crypto and blockchain ecosystem.
This information does not constitute financial advice or investment recommendation. Readers are encouraged to verify all details through official project channels before making any related decisions
