- Yearn Finance suffered an infinite mint attack.
- The attacker targeted a custom StableSwap pool.
- Yearn lost $22 million in two previous flash loan exploits.
On Monday, DeFi protocol Yearn Finance suffered a $9 million exploit that affected the project’s yETH liquid staking pool token.
Onchain data shows that the attack targeted Yearn’s StableSwap pool, a custom vault for trading liquid derivatives staking tokens.
On
The incident follows the $128 million loss suffered by Balancer, another pioneering DeFi protocol.
Like Balancer, the affected smart contracts have also been audited by several blockchain security companies.
The attack also adds to mounting losses for crypto investors from hacks and exploits this year.
$2.5 billion
Bad actors have already looted over $2.5 billion from crypto exchanges and DeFi protocols in 2025, according to data from DefiLlama.
Yearn attacker turned a math bug in the yETH smart contract into an infinite money problem.
This type of issue incentivizes the affected protocol to allow a bad actor to inflate the supply of a token while still assuming the correct price index.
The Yearn exploiter used this vulnerability to create approximately 235 trillion yETH out of thin air, according to on-chain data. With the inflated supply in hand, the attacker targeted the custom StableSwap pool, which initially contained around $11 million worth of liquid staking tokens.
The attacker withdrew approximately $8 million from the pool in a single transaction, then swapped $900,000 worth of yETH for wrapped Ethereum.
They also sent $3 million worth of Ethereum to Tornado Cash.
Infinite Money Bug
Bad actors have used infinite bugs to attack other DeFi protocols and blockchains in the past, including Wormhole, Abracadabra, and Harmony.
These are a subset of mathematical errors in smart contracts, alongside rounding errors that result in loss of precision.
Blockchain security auditors often overlook mathematical errors, leading to cases where even heavily audited protocols still fall victim to malicious exploits.
Yearn has already suffered two flash loan attacks, resulting in losses totaling $22 million.
Osato Avan-Nomayo is our DeFi correspondent based in Nigeria. It covers DeFi and technology. Do you have any advice? Please contact him at osato@dlnews.com.
