Decentralized finance protocol Yearn Finance's legacy V1 system has been exploited for approximately $300,000, reviving concerns about the security risks of immutable, deprecated smart contracts. Blockchain security firm PeckShield first reported the incident on December 17, 2025, noting the stolen funds were swapped for 103 ETH and sent to address 0x0F21...4066.
The attack targeted an outdated Yearn vault tied to TrueUSD, known as the "iearn TUSD vault," which remains deployed on Ethereum despite being superseded by newer versions. According to an analysis by pseudonymous researcher Weilin Li, the exploit stemmed from a configuration flaw. The vault had configured one of its strategies as a Fulcrum sUSD vault and calculated its share price using only the deposited sUSD balance, opening the door to a "donation attack."
The attacker manipulated the system by sending Fulcrum sUSD tokens into the vault to artificially inflate its reported share price. They then triggered a rebalance function that withdrew all underlying assets into sUSD—an asset excluded from the vault's share price calculations. This caused a severe "price shock," driving the share price toward zero. The attacker then deposited a small amount of TUSD, minted a large number of Yearn TUSD tokens at a minimal cost, and sold them on Curve pools to extract value before repaying flash loans used in the attack.
Researcher Li noted the exploit vector was identical to a 2023 attack that resulted in losses exceeding $10 million from the immutable yUSDT contract. That earlier vulnerability, present since the contract's deployment over three years ago, involved a copy-and-paste error referencing the wrong Fulcrum contract address. A Yearn team member, storming0x, acknowledged the latest attack but reassured users that current contracts are safe.
This incident follows closely on the heels of a $2.7 million drainage from an old Ribbon Finance (rebranded Aevo) contract earlier in the month, highlighting a persistent security challenge for legacy DeFi infrastructure.
BTC
HBAR
ZKP
XRP
LINK
ONDO
ACE
SOL