Yearn Finance, a well-known player in DeFi, was hit by a significant hack this weekend. The attack targeted an old yETH contract that was no longer actively used but still had access to a liquidity pool. This allowed an attacker to exploit the unused piece of code to gain access.
Over $11 million (approximately €9 million) in crypto was lost in the hack. It remains uncertain whether users will recover their funds.
Exploiting a Vulnerability in the Outdated yETH Pool #
A flaw in old code enabled a hacker to mint nearly unlimited new yETH tokens and withdraw real ETH and other assets. The attack began yesterday evening. The old yETH contract contained an error that allowed the attacker to mint a massive amount of new yETH tokens—about 235 trillion in one go. This enormous quantity was never intended and made it possible to drain liquidity pools.
From the main pool, approximately €6.9 million in ETH and liquid staking tokens were taken. A second pool lost nearly €850,000. Part of the stolen funds, about 1,000 ETH (worth around €2.5 million), was immediately sent through Tornado Cash to obscure the trail. The remaining amount sits in the hacker’s wallet, containing a mix of staked ETH tokens.
Yearn responded quickly, stating that the flaw was isolated to the old yETH component. The well-known V2 and V3 vaults, where most users hold funds, are safe. “Active products and user funds are not affected,” the Yearn team said.
#PeckShieldAlert Yearn Finance @yearnfi suffered an attack resulting in a total loss of ~$9M.
The exploit involved minting a near-infinite number of yETH tokens, depleting the pool in a single transaction.
~1K $ETH (worth ~$3M) was sent to #TornadoCash, while the exploiter’s… pic.twitter.com/IXNygpwoWa
— PeckShieldAlert (@PeckShieldAlert) December 1, 2025
YFI Price Rises After Hack #
Several channels quickly raised the alarm, including PeckShield. Helper contracts used by the hacker were created just before the attack and destroyed shortly after, making the attack difficult to analyze but indicating a planned action.
Notably, instead of a price drop, the price of YFI, Yearn’s token, briefly rose. It jumped from around $4,080 to over $4,160. This appears to be because traders initially thought the entire Yearn platform was affected and went short en masse. When it became clear that the issue was limited to the old yETH product, those short positions had to be closed rapidly, causing the price to spike temporarily. Since then, the YFI price has fallen by over 6%.
Yearn is currently investigating how the error occurred and whether there are ways to recover some of the stolen funds.