Legacy yETH product exploited for nine million as Yearn isolates impact

The incident was first flagged on November 30, 2025, when on-chain alerts and blockchain security firm PeckShield reported that Yearn had suffered losses of roughly $9 million tied to yETH. Yearn later confirmed the attack and published a post-mortem analysis dated December 1, 2025, explaining that the breach stemmed from a flaw in a custom stable swap pool contract used by a legacy implementation of its yETH aggregated staking token. According to the early estimates shared by security analysts and the protocol, about $8 million was drained from the main yETH pool and roughly $0.9 million from a yETH–WETH pool.

In its statements, Yearn described the affected contract as a specialized pool designed to aggregate multiple liquid staking tokens such as stETH and rETH into yETH. The vulnerability let the attacker mint fresh yETH without supplying adequate collateral, effectively inflating the supply and then using those synthetic tokens to pull real assets from external liquidity pools tied to the product. The protocol emphasized that the exploit was limited to this legacy yETH configuration and that its yCRV product, yUSND pool, Nerite vaults, and flagship V2 and V3 vaults were not at risk.

On-chain traces show that the attacker used a single highly engineered sequence to carry out the theft. Analysis by ExVul Security and other researchers describes a multi-stage attack in which the exploiter used flash loans to build a position in the yETH weighted stableswap pool, created extreme imbalances between the assets in the pool, and then abused several edge-case behaviors in the pool’s math. By repeatedly adding and removing liquidity in a specific pattern and exploiting precision-loss and state-update bugs, the attacker drove the pool’s total supply toward zero and pushed its internal accounting into an inconsistent state. At that point, a final add_liquidity call with tiny input amounts produced an “astronomical” quantity of yETH LP tokens, which were then redeemed for real assets.

Technical analysis of the pool.vy contract points to three core issues: precision loss in numerical calculations under extreme pool imbalances, yield-stripping effects tied to how staking shares were updated, and a zero-supply initialization weakness that broke the expected behavior when total LP supply approached zero. Researchers highlight a remove_liquidity call with a zero amount that still executed a full state-update loop, allowing the attacker to alter global pool values without moving funds, and subsequent update_rates calls that caused the contract to destroy staking LP supply and increase the attacker’s effective share. These stages gradually emptied the pool of certain staked ETH tokens before the final over-mint allowed the attacker to seize the remaining assets.

PeckShield and other on-chain analysts estimate that roughly $9 million in value was ultimately siphoned from the yETH ecosystem. Around 1,000 ETH, worth about $3 million at the time of the transfers, was sent to the privacy protocol Tornado Cash in an apparent attempt to obfuscate part of the haul, while several helper contracts used in the attack self-destructed shortly after execution. The rest of the stolen funds, consisting of various liquid staking derivatives and other assets, remains associated with the attacker’s address as tracked by blockchain scanners.

DeFi protocol Balancer had also proposed a governance plan to reimburse roughly $8 million in recovered assets to liquidity providers (LPs) affected by its November 3 v2 exploit, while Curve founder Michael Egorov says lessons from Yearn’s recent $9 million yETH attack analysis are “somewhat applicable” to the Balancer hack as well.

Yearn said it quickly convened a “war room” that includes internal engineers, members of the SEAL911 incident-response collective and audit firm ChainSecurity to coordinate the investigation and remediation. The protocol paused deposits into the affected pools, advised impacted users to open support tickets via its Discord, and began reviewing related contracts for similar edge-case vulnerabilities. At the same time, Yearn reiterated in public updates that its mainstream products and vaults continued to operate normally and were not directly exposed to the faulty yETH implementation.

External observers in the DeFi community have called the yETH exploit one of the most sophisticated attacks seen in recent months. Commentators noted that the operation combined flash-loan leverage, subtle precision bugs, state-manipulation via zero-amount calls and rapid fund-laundering, and pointed to it as a case study in how attackers increasingly chain multiple minor weaknesses into a single, high-impact exploit. Some protocol founders and developers cited the incident as further evidence that complex liquidity-pool math and multi-asset stable swap designs may require formal verification and stricter edge-case testing, especially where zero balances and extreme imbalances are possible.

The breach also arrived against a fragile market backdrop. Crypto markets saw selling pressure as news of the exploit spread, with traders weighing whether losses at Yearn might trigger broader risk reduction among users of protocols that integrate with its strategies. Market analysts pointed out that Yearn interacts with large platforms such as Curve and Aave, and some traders expressed concern about further withdrawals or liquidity shifts even though Yearn insisted that its core vaults remained solvent and insulated from the faulty yETH contract.

The yETH incident is not the first time Yearn has had to respond to a security or treasury-management problem. In 2021, an attacker exploited its v1 yDAI vault to take about $2.8 million, after which Yearn moved quickly to compensate affected users. In December 2023, a mis-configured multisig transaction drained roughly 63% of the project’s treasury from a yCRV liquidity pool during a routine fee-conversion process, causing a loss of around $1.4 million. Those earlier events prompted adjustments to processes and contracts; the latest exploit adds a further high-profile case to Yearn’s security history.

For now, Yearn’s team says it is focused on completing the post-mortem, working with auditors to close the vulnerabilities in the legacy yETH design and coordinating with on-chain investigators tracking the attacker’s wallets. Users of yETH and the impacted pools have been told to monitor official channels for information on next steps, while users of Yearn’s main vaults are being reassured that their positions are not directly tied to the compromised contract.