Yearn Finance suffers $9 Million loss in yETH Pool infinite mint exploit

Yearn Finance, a decentralized finance protocol, reports a major security breach on November 30, 2025, resulting in approximately $9 million in losses. 

The exploit targeted a legacy stable swap pool associated with the protocol's yETH token, allowing the attacker to mint an effectively unlimited number of tokens in a single transaction. The attack was executed through an infinite mint vulnerability in the yETH token contract that enabled the creation of approximately 235 trillion yETH tokens without posting adequate collateral. These tokens were then swapped for real assets from Balancer and Curve liquidity pools.

Blockchain security firm PeckShield flagged the incident, reporting that the attacker exploited a flaw in the yETH token contract's minting logic. The attacker deployed several helper smart contracts minutes before executing the exploit, which self-destructed after the transaction to obscure forensic analysis. The breach affected the yETH stableswap pool, which held approximately $11 million in value before the attack, with losses broken down as $8 million from the main stableswap pool and $900,000 from the yETH-WETH pool on Curve.

The number of affected individuals is not disclosed.

The perpetrator moved to launder the stolen funds through multiple channels. Approximately $3 million worth of ETH (roughly 1,000 ETH) was funneled through Tornado Cash, a cryptocurrency mixing service, in multiple batches including several 100 ETH transactions. The remaining $6 million in various staked Ethereum assets, including wstETH, rETH, and cbETH, remain in the attacker's wallet address (0xa80d...c822) as of the latest blockchain scans. Yearn Finance reports that the yUSND pool and Nerite's vaults remained secure and were not impacted by the exploit, and emphasized that all V2 and V3 Vaults—which manage over $600 million in total value locked were not affected by the vulnerability.

Yearn Finance co-founder Andre Cronje emphasized the risks associated with legacy contracts and announced plans to audit all pre-2023 code. The protocol is exploring insurance claims under Nexus Mutual, which has historically covered approximately 60% of similar exploits in 2025.