What Happened in the Latest Yearn Finance Exploit?
Yearn Finance is working to recover assets stolen in a major exploit that drained roughly $9 million from its legacy yETH pools on Sunday. The attacker used a flaw in an older contract to mint a near-infinite amount of yETH tokens, which were then used to pull real liquidity from a stableswap pool and a smaller yETH-WETH pool on Curve.
Yearn confirmed that about $2.4 million worth of the stolen assets have been recovered so far. A coordinated effort with external security teams is still underway. The protocol repeated that its V2 and V3 products are unaffected by the attack.
The incident is the third attack on Yearn since 2021 and carried a level of complexity similar to the recent Balancer exploit, according to the team. With the attacker minting 2.3544×10⁵⁶ yETH tokens — functionally limitless — the damage was concentrated in the older yETH pool.
Investor Takeaway
How Did the Exploit Work?
A post-mortem released Monday outlines the flaw behind the attack: an “unchecked arithmetic” bug in the yETH pool’s minting logic, combined with other design issues. By manipulating the vulnerable function, the attacker created an astronomical supply of yETH tokens. The post-mortem describes the sequence clearly:
“The actual exploit transactions follow this pattern: the huge mint is followed by a sequence of withdrawals that move real assets to the attacker, while the yETH token supply is effectively meaningless.”
The attack involved a series of batched actions and helper contracts — temporary, specialized smart contracts often used in multi-step exploits. Blockscout reported that the attacker deployed helper contracts that self-destructed after execution, making them unreadable while still leaving traces in creation logs. These contracts handled the mint manipulation before destroying themselves.
“As The Block previously reported,” the attacker also moved at least 1,000 ETH and several liquid-staking tokens through Tornado Cash shortly after the exploit.
How Much Has Been Recovered So Far?
Yearn said on Sunday that a recovery mission was “active and ongoing.” By working with SEAL 911, ChainSecurity and Plume Network, the team has recovered 857.49 pxETH so far. Additional assets remain in motion across multiple chains and anonymization paths.
The team reiterated that the attack targeted a legacy contract and that “there is no other Yearn product using similar code to what was impacted.” It added that any assets successfully reclaimed will be returned to affected depositors.
Investor Takeaway
Why Yearn’s V2 and V3 Products Were Not at Risk
Yearn stressed that the exploit touched only its older yETH pool. V2 and V3 vaults, which make up the core of the current Yearn ecosystem, use different code and were unaffected. The incident, however, highlights the long tail of inactive or lightly maintained DeFi contracts still holding user funds across the ecosystem.
In its early years, Yearn was a dominant yield aggregator, but several older strategies remain deployed even as liquidity has shifted to newer vaults. The yETH pool exploited on Sunday falls into that category — a relic of an earlier stage of DeFi that still held significant value.
On Sunday, Yearn warned users that its investigation would require patience: “Initial analysis indicated this hack has a similar high complexity level to the recent Balancer hack, so please bear with us as we perform the post-mortem analysis.”
The central question now is how much more of the stolen funds can be retrieved and how quickly the protocol can compensate depositors. The incident also raises broader concerns across DeFi about how many older contracts are still exposed to similar arithmetic or rounding-based weaknesses.
For Yearn, the immediate priority is completing recovery efforts and closing the chapter on a pool that dates back to an earlier era of yield farming — one that attackers continue to probe for overlooked vulnerabilities.
