Yearn Finance details the $9 million yETH exploit, confirms partial asset recovery and announces remediation plan

According to ChainCatcher, as reported by The Block, HumidiFiYearn Finance has released a detailed post-mortem report on last week's yETH vulnerability attack, pointing out that a three-stage numerical error existed in its legacy stableswap liquidity pool. This error allowed attackers to "mint LP tokens infinitely" and steal approximately $9 million in assets from the liquidity pool.

Yearn confirmed that, with the assistance of the Plume and Dinero teams, it has successfully recovered 857.49 pxETH, which accounts for about a quarter of the stolen assets. The team plans to distribute the recovered funds proportionally to yETH depositors.

The decentralized finance protocol stated that the vulnerability attack occurred at block 23,914,086 on November 30, 2025. The attacker used a complex sequence of operations to force the internal parser of the liquidity pool into a divergent state, ultimately triggering an arithmetic underflow. The attack targeted a custom stableswap pool aggregating multiple liquid staking tokens (LSTs), as well as a yETH/WETH Curve pool.

Yearn emphasized that its v2 and v3 vaults and other products were not affected. To address these issues, Yearn has announced a remediation plan, including implementing explicit domain checks on the parser, replacing unsafe arithmetic with checked arithmetic in critical sections, and disabling bootstrap logic after the pool goes live.