Yearn Finance Hit by Major Hack: $3M Lost in yETH Exploit

What Happened?

Yearn Finance, a well-known DeFi platform, experienced a serious security breach on November 30.
A hacker discovered an “infinite mint” bug in yETH, one of Yearn’s experimental products.
This flaw allowed the attacker to create unlimited yETH tokens out of nothing — and then swap them for real assets.

In just one transaction, the hacker stole about 1,000 ETH, worth roughly $3 million.

🧨 How the Attack Worked

1. Infinite yETH Creation

The attacker deployed new smart contracts designed to trick the yETH system.
These contracts bypassed normal safety checks and allowed the hacker to mint trillions of fake yETH tokens without depositing any collateral.

2. Draining the Liquidity Pool

With this massive amount of worthless yETH, the hacker went to a Balancer liquidity pool and swapped the fake tokens for real assets such as:

  • ETH
  • stETH

Within moments, the pool’s value collapsed to nearly zero.

3. Hiding the Funds

After making off with the stolen ETH, the hacker split the funds into smaller transactions and sent them through Tornado Cash — a privacy mixer often used to hide the origins of crypto funds.
This makes tracing the stolen money extremely hard.

The malicious smart contracts then self-destructed, erasing evidence of the attack — a common move in sophisticated DeFi hacks.

💡 What Exactly Is yETH?

yETH is a liquid staking token index designed to make Ethereum staking easier.
Instead of choosing a single staking provider, yETH bundles multiple popular staking tokens — like stETH (Lido) and rETH (Rocket Pool) — into one.

Benefits:

  • Diversified staking exposure
  • Simpler for everyday users
  • Grew to over $8.8 million in total value locked

However, it is an experimental product, and not part of Yearn’s main vault system.

🛡 Yearn Finance Responds

Yearn confirmed the exploit shortly after it happened and stated that:

  • The issue is limited to the yETH pool
  • Their core vaults, which manage over $500 million, were not affected

This prevented the situation from escalating into a much larger disaster.

Yearn reminded users that yETH is a separate experimental index, not a core component of their secure vault architecture.

🕰 Not the First Incident

This isn’t the first time Yearn Finance has faced a breach.
In April 2023, an outdated contract was exploited, resulting in an $11 million loss.

📝 Summary

A bug in yETH allowed a hacker to mint unlimited tokens.
Around $3 million in ETH was drained from a Balancer pool.
Funds were laundered through Tornado Cash.
Yearn’s main vaults were unaffected.