Yearn Finance protocol hacked for $9 million; attackers exploited the yETH vulnerability.
On November 30, unknown attackers targeted the Yearn Finance protocol, resulting in a total loss of $9 million, according to blockchain security experts PeckShield.
#PeckShieldAlert Year Finance @yearnfi suffered an attack resulting in a total loss of approximately $9 million.
The exploit involved the creation of a near infinite number of yETH tokens, depleting the pool in a single transaction.
~1K $ETH (worth approximately $3 million) was sent to #TornadoCashwhile that of the exploiter… pic.twitter.com/IXNygpwoWa
– PeckShieldAlert (@PeckShieldAlert) December 1, 2025
Details
The project team confirmed the hack, emphasizing that it was due to a vulnerability in the Yearn Ether (yETH) product code.
At 21:11 UTC on November 30, an incident occurred involving the stablecoin exchange pool yETH, which resulted in the creation of a large amount of yETH. The affected contract is a customized version of the popular stableswap code, unrelated to other Yearn products. Yearn V2/V3 vaults are not at risk.
– yearn (@yearnfi) December 1, 2025
According to PeckShield, the attackers created an almost infinite number of tokens, emptying the entire pool in a single transaction of 1,000 ETH (~$3 million).
The stolen funds were immediately sent by the hackers to the Tornado Cash crypto mixer.
Yearn developers said that the affected contract is a customized version of the popular stableswap code, not related to other protocol products. Yearn V2/V3 remains secure, they stressed.
Preliminary data indicated the following approximate losses:
- $8 million from the relevant stablecoin exchange pool;
- $0.9 million from the yETH-WETH stablecoin swap pool on Curve.
“Initial analysis showed that the complexity of the hack is similar to that of recent balancer exploitso please be patient while we perform our analysis. No other Yearn product uses code similar to the one affected,” the project team added.
Impact
Following the incident, the Yearn token – YFI – fell by 5.5%. At the time of writing, the asset is trading around $3,900 with a market cap of $132.6 million.
TVL of the protocol went from $432 million to $410 million over the last day. At its peak in November 2021, this figure was $6.7 billion.
This latest incident is not Yearn’s first hack. In 2021, an unknown party mined $2.8 million from the yDAI v1 pool. The project quickly compensated affected users for their losses.
In December 2023, due to a “wrong scenario” in a multisig transaction, the protocol lost 63% of its treasury funds in the Lp yCRV pool. The incident occurred during a “routine token fee conversion process” and resulted in the exchange of 3,794,894 yCRV for 779,958 yvDAI. The team said the loss was $1.4 million.
In November 2025, on-chain researcher tanuki42 discovered an undisclosed hack of market maker DWF Labs for $44 million.
Have you ever heard of the text? Select it and press CTRL+ENTER
ForkLog Message: держите руку на пульсе биткоин-industry!
