Yearn Finance published a detailed analysis of last week’s yETH exploit, explaining how a digital breach in one of its legacy stablecoin exchange pools allowed an attacker to create a nearly unlimited amount of LP tokens and steal approximately $9 million in assets.
The DeFi platform said it has already recovered part of the stolen funds.
In the reportYearn said the attack hit the yETH weighted stablecoin exchange pool at block 23,914,086 on November 30, 2025.
DISCOVER: Top 20 cryptocurrencies to buy in 2025
Which Yearn products were affected and which remained safe?
The breach followed what the team described as “a complex sequence of operations” that pushed the pool’s internal solver into a divergent state and then triggered an arithmetic overflow.
Yearn noted that its v2 and v3 safes, along with the rest of its products, “have not been affected.” The impact has remained limited to yETH and related systems.
The attacker targeted a custom stableswap pool containing several liquid staking tokens: apxETH, sfrxETH, wstETH, cbETH, rETH, ETHx, mETH, and wOETH, as well as a yETH/WETH curve pool.
According to Yearn’s asset snapshot, the pools held a mix of LST and 298.35 WETH before the exploit occurred.
Yearn’s autopsy divides the attack into three clear stages.
In the first stage, the attacker used a series of unbalanced add_liquidity deposits that pushed the pool’s fixed-point solver into a state it was not designed for.
This move caused the inner product term, Π, to fall to zero. Once this happened, the weighted stable swap invariant failed, allowing the attacker to create many more yETH LP tokens than the value they had actually deposited.
With these inflated LP tokens in hand, the attacker moved on to the next phase.
They repeatedly called remove_liquidity and related functions, removing almost all of the LST liquidity. The bulk of the losses fell on the liquidity owned by the protocol within the staking contract.
DISCOVER: 9+ Best High Risk, High Reward Cryptocurrencies to Buy in 2025
What funds do you aspire to recover so far, and who will receive them?
According to Strivethis sequence drove the pool’s internal supply to zero even though ERC-20 balances still showed tokens in the contract.
In the last step, the attacker slipped into a “bootstrap” initialization path that was only intended for the first launch of the pool.
By sending a counterfeit dust-level setup that violated a key domain rule, they triggered a dangerous subtraction. This substream created a massive batch of new yETH LP tokens and completed the feat.
Yearn said the underflow was so severe that it created what the team called an “infinite mint.” The attacker used this flaw to drain the yETH/ETH curve pool.
The project said it has collected 857.49 pxETH so far with the help of the Plume and Dinero teams. A recovery operation took place on December 1.
Yearn plans to return recovered assets to yETH depositors on a pro-rata basis, using balances immediately before the exploit. Any subsequent recoveries, whether due to attacker cooperation or further tracing efforts, will also be returned to depositors. The timeline published by Yearn shows that a war room formed approximately 20 minutes after the breach.
The SEAL 911 Task Force joined shortly after. Investigators say the attacker sent 1,000 ETH to Tornado Cash later that night and transferred the remaining funds through the mixer on December 5.
An earlier report from The Block indicated that approximately $3 million in ETH was transferred via Tornado Cash in the hours following the attack.
The post-mortem also reminds users that YIP-72 governs yETH. He highlights the product’s “Use at our own risk” clause, which states that Yearn contributors and YFI governance are not responsible for covering losses.
The report states that all recovered funds will be returned to affected users.
DISCOVER: 15+ Coinbase Lists to Watch in 2025
The post Everything You Need to Know About Yearn Finance Exploit appeared first on 99Bitcoins.
