Haciyev Reşit 
As the crypto market enters a highly volatile period in December, the DeFi sector has been shaken by a major security incident. A vulnerability detected in Yearn Finance’s yETH product allowed attackers to mint nearly unlimited tokens and drain the pool in a single transaction. The attacker transferred 1,000 ETH (approximately $3 million) through Tornado Cash to obscure the trail.
yETH Pool Drained in One Transaction
The attack, which took place on Monday, targeted Yearn Finance’s yETH product — a vault designed to aggregate liquid staking derivatives into a single asset. Blockchain data shows that the exploiter used a vulnerability that enabled the minting of infinite yETH tokens, which were then used to withdraw millions of dollars worth of assets from Balancer pools.
The attack was first noticed by X user Togbe, who detected unusual activity while monitoring the transactions. The yETH pool was reported to hold around $11 million before the exploit. Yearn Finance quickly confirmed the incident and stated that its V2 and V3 vaults were not affected. The protocol announced that a detailed investigation was underway in collaboration with SEAL 911 and ChainSecurity.
Technical Details and Initial Findings
The attack was executed using several newly created smart contracts, some of which self-destructed after the transactions were completed. Yearn Finance’s latest update confirmed a total loss of $9 million $8 million drained from the stableswap pool and $0.9 million removed from the yETH-WETH pool on Curve. The Yearn team emphasized that no other products in their codebase were affected by this vulnerability.
Community Reaction and Implications for DeFi Security
The incident sparked mixed reactions within the community. Some users expressed concerns about older contract architectures and warned that similar vulnerabilities may exist in other products as well. Yearn Finance previously experienced a major hack in 2021 involving its yDAI vault, resulting in an $11 million loss. Additionally, in December 2023, a faulty script wiped 63% of a treasury position.
This latest exploit highlights growing security concerns in the DeFi sector. A major Balancer hack in 2025—one of similar technical complexity—resulted in losses exceeding $116 million.
Crypto Hack Losses Exceed $127 Million in November
According to CertiK’s monthly security report, the losses in November alone include:
- $127 million lost due to hacks and exploits
- $172 million total value of funds initially affected
- Net losses decreased by ~$45 million after recovered funds
DeFi protocols accounted for the majority of the losses, while exchange hacks contributed approximately $29.8 million.
Experts commented:
“The yETH attack is yet another example of how complex and vulnerable DeFi products can be. A single flaw can cause millions of dollars in losses within seconds, underscoring the importance of stronger code audits.”
Conclusion
The attack on Yearn Finance’s yETH product has once again highlighted the significant security risks within the DeFi ecosystem. The draining of the pool in a single transaction exposed critical weaknesses in smart contract infrastructure. Yearn’s confirmation of a $9 million loss underscores the severity of the incident, while the funds laundered through Tornado Cash make the investigation more challenging. With DeFi hacks in recent months surpassing hundreds of millions of dollars, the urgency for enhanced security-focused development continues to intensify.
You can also freely share your thoughts and comments about the topic in the comment section. Additionally, don’t forget to follow us on our Telegram, YouTube, and Twitter channels for the latest news and updates.