Yearn Finance , that seasoned beast of the DeFi jungle, just got smacked again.
The victim? yETH , a slick Yearn product that wraps various staked Ethereum into one neat little package.
Picture a cosmic fruit basket suddenly raided by a shadowy crypto bandit.
1,000 ETH spirited into Tornado Cash
The heist? Around $9 million vanished from the yETH stableswap pool and its sidekick, the smaller yETH-WETH pool on Curve.
The hacker played it like a pro, exploiting a cryptic pairing of a so-called “low-level numerical bug” and a “high-level invariant-management issue” (yes, that’s real crypto expert jargon for “we’re f*cked up”).
On a Sunday that probably should’ve been quiet, someone minted infinite yETH tokens, swapped them for real ETH and staking tokens, then scooted off with a cash prize and about 1,000 ETH spirited into Tornado Cash, DeFi’s version of a smoke bomb.
At 21:11 UTC on Nov 30, an incident occurred involving the yETH stableswap pool that resulted in the minting of a large amount of yETH. The contract impacted is a custom version of popular stableswap code, unrelated to other Yearn products. Yearn V2/V3 vaults are not at risk.
— yearn (@yearnfi) December 1, 2025
Smart contracts that self-destruct
Yearn’s response was swift and a touch heroic. Teaming up with Plume and Dinero, they clawed back 857.49 pxETH, roughly $2.4 million, rescuing a chunk of the loot from the abyss.
The process was delicate, described in Yearn’s evening dispatch as “high complexity,” rivaling the recent Balancer hack’s infamous audacity.
How did the villain pull off this stunt? The trick involved a clever breed of smart contracts that self-destruct after doing their dirty work, erasing any trace of their bytecode but leaving behind blockchain breadcrumbs for the keen analyst.
These contracts minted fake yETH tokens, drained pools, then vanished like ghost ships in the digital night.
Even veteran protocols carrying billions aren’t invincible
Yearn’s official word? The mess is isolated, only yETH’s custom code took the hit.
At writing, Yearn Vaults still hold a cool $570 million, untouched by this particular escapade. But fair to say, this isn’t Yearn’s first rodeo.
They’ve been tangled in exploits since 2021, including a $11 million loss from the yDAI vault hack and a strike on an aging yUSDT contract in 2023.
Like a grizzled cowboy, Yearn keeps getting shot at but refuses to ride off into the sunset.
For DeFi enthusiasts, this episode rings a loud alarm bell, even veteran protocols carrying billions aren’t invincible.
The yETH exploit blends smart contract quirks and crafty hackers, illustrating the precarious tightrope act that is decentralized finance security.
Cryptocurrency and Web3 expert, founder of Kriptoworld
LinkedIn | X (Twitter) | More articles
With years of experience covering the blockchain space, András delivers insightful reporting on DeFi, tokenization, altcoins, and crypto regulations shaping the digital economy.
