The DeFi ecosystem was rattled by a significant security breach targeting Yearn.finance, a leading Ethereum-based protocol, where hackers exploited a critical vulnerability in the yETH index token system. The attack, which occurred around November 30, 2025, allowed perpetrators to mint unlimited yETH tokens without proper collateral, effectively creating funds out of thin air and systematically draining the protocol's liquid staking token pools.
Blockchain data revealed that the exploit was executed through several freshly-deployed smart contracts, some of which self-destructed after the transaction, making tracing difficult. As a result, approximately 1,000 ETH (worth about $3 million) was siphoned from the pools and transferred to the privacy protocol Tornado Cash for laundering. The incident was first flagged by an X user, Togbe, who noted the attacker's gain of 1,000 ETH despite some ETH being sacrificed in the process.
In response, the Yearn.finance team confirmed they are investigating the incident and assured users that Yearn Vaults (V2 and V3) remain unaffected. This exploit echoes past security issues, including a 2021 incident where the yDAI vault lost $11 million and a 2023 treasury script error, though no user funds were compromised then. The YFI token experienced notable price volatility following the breach, underscoring the immediate market impact.
The event highlights persistent security challenges in DeFi, emphasizing the need for continuous auditing, robust bug bounty programs, and user diligence. While the vulnerability has been patched, the incident serves as a stark reminder of the risks inherent in decentralized finance investments.
HYPER
BTC
HBAR
ZKP
XRP
LINK
ONDO
SHIB
BNB