Yearn Finance’s yETH Pool Breach: A $9 Million DeFi Exploit
On November 30, 2025, Yearn Finance’s yETH pool suffered a significant exploit, resulting in the theft of approximately $9 million in Ethereum-based assets. The attacker executed a sophisticated infinite-mint attack, creating an astronomical 235 septillion yETH tokens by depositing a mere 16 wei—an amount worth less than a fraction of a cent.
Understanding the Exploit
The core vulnerability resided within the protocol’s internal accounting mechanism, specifically its use of cached storage variables known as packed_vbs. These variables, designed to reduce transaction costs by storing virtual balance information, failed to reset correctly when the pool’s liquidity supply dropped to zero. While the main supply counter reset, the cached values retained phantom balances from previous transactions, creating a critical discrepancy between the actual and recorded state of the pool.
By manipulating the interaction between deposit and withdrawal functions, the attacker tricked the system into believing the pool held vast value when it was effectively empty. This miscalculation triggered the minting of septillions of LP tokens, granting the attacker absolute control over the pool’s assets, which were subsequently swapped for WETH and laundered through Tornado Cash.
Immediate Response and Recovery Efforts
Yearn Finance promptly acknowledged the breach, confirming that the exploit was isolated to the legacy yETH product and that its V2 and V3 Vaults remained secure and unaffected. The protocol’s Total Value Locked (TVL) remained above $600 million, indicating that core systems were not compromised during the attack. ([coincentral.com](https://coincentral.com/yearn-finance-yeth-exploited-for-3-million-in-unlimited-minting-attack/?utm_source=openai))
In collaboration with external security teams, including SEAL 911 and ChainSecurity, Yearn Finance initiated a comprehensive investigation and recovery operation. By December 1, 2025, the team successfully recovered 857.49 pxETH, valued at approximately $2.39 million. This recovery was achieved through coordinated efforts with the Plume and Dinero teams, who neutralized the exploiter’s pxETH positions and redirected equivalent value back to the protocol. ([crypto.news](https://crypto.news/yearn-finance-recovers-2-4m-yeth-exploit-2025/?utm_source=openai))
Broader Implications for DeFi Security
This incident underscores the inherent risks associated with complex DeFi systems and the critical importance of explicit state management to prevent high-value exploits. The exploit represents one of the most capital-efficient attacks in history, requiring negligible upfront capital to drain millions in Ethereum-based assets.
The breach also highlights the necessity for continuous auditing and upgrading of smart contracts, especially legacy contracts that may harbor long-standing vulnerabilities. Security analysts have noted that this incident is part of an increasing number of DeFi-related vulnerabilities, with over $127 million lost due to hacking, scamming, and exploits in November 2025 alone. ([xt.com](https://www.xt.com/en/blog/post/yearn-finance-yeth-exploit-drains-3-million-vulnerability-in-defi-protocol?utm_source=openai))
Conclusion
Yearn Finance’s swift response and partial recovery of assets demonstrate the protocol’s commitment to security and user trust. However, the incident serves as a stark reminder of the evolving threats in the DeFi space and the need for robust security measures, continuous monitoring, and proactive vulnerability management to safeguard user assets.
