In a significant move for DeFi security and user trust, Yearn.finance has announced a plan to distribute recovered funds to users impacted by a recent exploit of its yETH product. The protocol confirmed the recovery of 857.49 pxETH, representing approximately 25% of the total $9 million in assets drained during the attack on November 30, 2025.
The exploit targeted a legacy weighted stableswap pool connected to yETH. According to a detailed post-mortem, the attacker executed a three-phase attack that manipulated the pool's internal solver. This allowed them to mint a near-infinite number of yETH LP tokens, which were then used to drain liquidity from the pool and an associated yETH/ETH Curve pool. The attack was isolated to the yETH product, with Yearn's v2 and v3 vaults remaining unaffected.
Recovery efforts involved coordinated action with blockchain security partners SEAL 911 and the Plume and Dinero teams. A portion of the stolen funds was recovered on December 1, 2025. The protocol has stated that all recovered assets will be distributed pro rata to yETH depositors based on their balances immediately before the exploit, with any future recoveries also earmarked for users.
Yearn's disclosure reiterates that yETH operates under a 'Use at Own Risk' clause and is self-governed by its depositors, meaning Yearn contributors and YFI governance are not liable for reimbursement. The distribution will be handled on-chain for transparency.
Looking forward, Yearn has outlined a remediation plan to prevent similar incidents. This includes enforcing explicit domain checks on the pool solver, replacing unsafe arithmetic with checked math, and introducing hard caps on LP token issuance. The protocol also plans to expand its testing approach with more aggressive fuzzing and adversarial test cases.
HYPER
BTC
HBAR
ZKP
XRP
LINK
ONDO
SHIB
BNB