Legacy code weakness leads to $9 million DeFi theft, highlighting the industry's security gaps
- Yearn Finance lost $9 million in 2025 after a hacker exploited a legacy yETH pool vulnerability to mint infinite tokens and drain liquidity. - The attack used self-destructing contracts to obscure traces, stealing $3 million via Tornado Cash while $6 million remained in the attacker's wallet. - Yearn halted the affected pool and pledged to audit pre-2023 contracts, highlighting risks from outdated smart contract logic in DeFi protocols. - The breach occurred amid a $127 million sector-wide hacking trend
Yearn Finance Faces $9 Million DeFi Exploit
On November 30, 2025, Yearn Finance—a leading player in the decentralized finance (DeFi) space—experienced a significant security breach resulting in a $9 million loss. The incident occurred when an attacker took advantage of a flaw in the yETH token pool, enabling them to create an enormous quantity of yETH tokens in a single transaction and swiftly drain liquidity pools.
The exploit specifically targeted an outdated yETH stableswap pool. By exploiting the vulnerability, the attacker was able to mint approximately 235 trillion yETH tokens, essentially generating an unlimited supply. These tokens were then used to withdraw valuable assets, including ETH and liquid staking derivatives, from both Balancer and Curve liquidity pools. Of the stolen assets, $3 million in ETH was funneled through Tornado Cash—a privacy-oriented mixer—while another $6 million remained under the attacker's control.
Yearn Finance clarified that its more recent V2 and V3 vaults were not impacted by the breach, emphasizing that the incident was confined to the legacy yETH product.
How the Attack Unfolded
The root cause of the exploit was traced to outdated smart contract logic within the yETH pool, which failed to adequately check the conditions for minting new tokens. The attackers deployed temporary helper contracts, which they later destroyed, to mask their activities on the blockchain—a strategy seen in previous DeFi attacks. According to blockchain security firm PeckShield, the vulnerability was due to flawed invariants and improper rate-update mechanisms in the yETH contract.
Wider Impact on the DeFi Sector
This breach is part of a larger pattern of DeFi hacks in 2025. In November alone, the sector suffered losses exceeding $127 million from various exploits and scams, including a major $116 million cross-chain attack on Balancer.
Yearn Finance's Response and Aftermath
In response to the incident, Yearn Finance immediately suspended the affected yETH pool and began working closely with security auditors to determine the underlying cause. Co-founder Andre Cronje acknowledged the dangers posed by legacy code and committed to reviewing and securing all contracts created before 2023. Despite these reassurances, the event caused a brief surge in the price of YFI, Yearn’s governance token, which temporarily jumped from $4,080 to $4,160 due to market imbalances and short squeezes. The token’s limited supply further intensified price swings during this period.
Lessons for DeFi Security
This attack highlights ongoing security challenges in the DeFi ecosystem, where intricate smart contracts and interconnected protocols can open the door to sophisticated exploits. Industry experts advocate for comprehensive audits, the retirement of outdated contracts, and the adoption of hybrid verification systems that combine on-chain and off-chain checks to enhance security. For users, the incident serves as a reminder of the risks associated with high-yield DeFi opportunities and the importance of protocol safety. Yearn Finance’s openness in addressing the breach and its commitment to thorough post-incident review may help restore confidence, but the event underscores the persistent vulnerabilities within the sector.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Chainlink ETF Set to Debut as LINK Slips Amid Market Weakness
Striking baristas win $38.9 million in compensation, yet contract disputes continue
- Starbucks settles NYC Fair Workweek Law violations for $38.9M, including $35.5M restitution to 15,000+ workers. - Striking baristas demand collective bargaining amid ongoing labor disputes and unionization efforts at 550 stores. - Mayor-elect Mamdani and Sen. Sanders join protests, framing demands as moral issues against corporate resistance. - Settlement addresses 500,000 scheduling violations since 2021, with workers receiving $50/week compensation. - Starbucks defends labor law complexity but faces cr
Alphabet's AI-driven ecosystem accelerates flywheel momentum, driving shares up by 68% in 2025
- Alphabet's stock surged 68% in 2025, outperforming peers like Microsoft and Nvidia , driven by strong AI monetization and cloud growth. - Analysts raised price targets to $375-$335, citing Google Cloud's $15.2B Q3 revenue (34% YoY) and $155B cloud backlog growth. - The company's AI ecosystem spans Search, YouTube, and Workspace, generating premium subscriptions and ad yield through Gemini's 650M MAUs. - Projected cloud revenue could exceed estimates by $40B, but risks include regulatory scrutiny and comp
XRP News Today: Vanguard Changes Position on Crypto ETFs, Pointing to Market Maturity and Increased Demand
- Vanguard Group will enable crypto ETF trading on its platform from December 2, 2025, reversing years of opposition to digital assets. - The firm supports Bitcoin , Ethereum , XRP , and Solana ETFs but excludes memecoins, treating crypto as non-core assets like gold . - Market maturation, $25B+ ETF inflows, and regulatory compliance drive the shift, positioning Vanguard as the last major U.S. broker to adopt crypto ETFs. - The move reflects growing institutional confidence in regulated crypto structures a
Trending news
MoreCrypto prices
More
