Yearn Finance Hit by yETH Exploit — Millions Lost After “Infinite‑Mint” Attack

In a dramatic blow to one of DeFi’s pioneering platforms, Yearn Finance recently confirmed that its yETH product was exploited — allowing an attacker to mint virtually unlimited tokens and drain millions from liquidity pools. The news has sent ripples through the crypto world and reignited concerns about the security of complex DeFi protocols.

What happened: the sequence of the attack

On the evening of November 30, 2025 (around 21:11 UTC), blockchain data flagged a suspicious transaction: a malicious wallet minted an astronomical number of yETH tokens in a single move. According to analyses, the attacker managed to create roughly 235 trillion yETH tokens in that transaction alone.

With those fraudulent tokens, the attacker drained liquidity from pools on Balancer, extracting real assets such as ETH and liquid-staking tokens (LSTs). Roughly $2.8–3 million in ETH was transferred through a mixing service in an apparent money‑laundering move.

In a public statement, Yearn clarified that the exploit affected only the legacy yETH contract. Their V2 and V3 vaults remain unaffected and intact.

The vulnerability: unlimited minting in the smart‑contract code

According to security firms and blockchain analysts, the root of the exploit was a flaw in the yETH token contract that allowed “infinite minting.” In effect, the contract failed to enforce limits or prerequisites on mint operations — so a malicious actor could create vast quantities of yETH tokens out of thin air.

This exploit did not target Yearn’s vault logic or lending mechanics, but rather the “index token” wrapper for liquid staking assets. Because yETH represents a basket of underlying staking tokens, minting unlimited yETH lets an attacker redeem or swap those fake tokens for real assets — then drain the backing pools.

Impact: financial loss and broader implications for DeFi

The immediate loss appears to center around $2.8–3 million in ETH and associated liquid-staking tokens. Despite the modest sum relative to some recent mega‑hacks, the incident underlines critical systemic risks: even mature, audited DeFi platforms can be undermined by subtle mistakes in token contract design.

The exploit also triggered a price shock in the governance token YFI — which briefly spiked as panic selling triggered by the exploit was met by rapid repositioning from traders.

For users of Yearn and other DeFi protocols, the takeaway is stark: “vaults” or “liquidity pools” are only as safe as the smart contracts that underlie them. This yETH exploit serves as a reminder that complexity in DeFi — especially when wrapping or aggregating other protocols (e.g., liquid staking tokens) — substantially increases attack surface and risk.

What’s next: investigation, remediation, and lessons learned

Yearn has pledged a full post‑mortem analysis in cooperation with security auditors. So far, they assert that the vulnerability was isolated to the legacy yETH contract — meaning users in newer vaults are safe for now.

Nevertheless, the incident may well trigger audits across DeFi: projects that offer index tokens, liquid staking wrappers, or complex token‑pool abstractions will likely revisit their mint logic, supply caps, and redemption mechanisms — as well as conduct deeper security reviews.

This episode underscores a hard truth: in decentralized finance, the louder the yield promise, the more silent the risk — and the consequences of a single flawed smart contract can ripple across millions.