Yearn Finance Hit By YETH Exploit With $3M Sent To Tornado Cash

Yearn Finance is dealing with a fresh security breach after an attacker exploited its yETH token contract and drained millions in ETH and liquid staking assets from Balancer pools.

The incident unfolded late on Nov. 30 when an attacker triggered an infinite-mint flaw inside the yETH contract. They then minted an impossibly large supply of yETH, more than 235 trillion tokens, in a single transaction. 

With those tokens, the attacker moved quickly through Balancer pools, removing real assets, including ETH and popular staking derivatives. Initial traces show close to $3 million flowing through Tornado Cash shortly after the exploit, while the attacker’s address still holds additional assets tied to the event.

Exploit isolated to legacy yETH product

Blockchain data shows the yETH stableswap pool was emptied within minutes, leaving a roughly $2.8 million hole. Yearn Finance(YFI) said the issue sits within an older implementation of yETH and does not touch its V2 or V3 Vaults. Protocols built on Yearn V3, including Katana, also reported no exposure.

Several helper contracts appeared just moments before the attack and vanished through self-destruct calls once the pool was drained, making the trail harder to follow.

Security teams reviewing the transactions, including auditors tracking Yearn’s older products, linked the event to a long-standing minting weakness inside the yETH token logic, rather than a problem in Yearn’s current vault architecture.

The protocol maintains a live bug bounty program with rewards reaching $200,000 for critical discoveries, though no recovery path has been announced yet.

On-chain movement intensifies after liquidity drain

Soon after the pool collapsed, X user Togbo flagged several movements of 100 ETH batches passing through Tornado Cash. Around 1,000 ETH in total was mixed in the hours following the exploit. The attacker still retains additional assets worth several million dollars across multiple wallets.

The yETH pool carried roughly $11 million before the breach, and while the final loss number is still under review, Yearn said user funds inside active vaults remain safe.

This incident adds to the protocol’s long record of managing legacy risks, coming years after its 2021 yDAI exploit and a 2023 treasury misconfiguration that did not affect depositors. YFI slipped about 4% after the event and traded near $4,002 at press time.