Yearn Finance yETH Exploited for $3 Million in Unlimited Minting Attack

TLDR

• Yearn Finance’s yETH product was exploited through an unlimited minting attack that drained liquidity from Balancer pools on November 30, 2025
• The attacker created approximately 235 trillion yETH tokens in one transaction and stole around $2.8-3 million worth of ETH
• About 1,000 ETH was laundered through Tornado Cash mixer after the exploit
• Yearn confirmed V2 and V3 Vaults were not affected and remain secure, with total value locked staying above $600 million
• YFI token price spiked from $4,080 to over $4,160 after the exploit due to a short squeeze from traders misinterpreting the attack’s scope

Yearn Finance confirmed an active exploit targeting its yETH product on Sunday after an attacker executed an unlimited token minting attack. The incident occurred around 21:11 UTC on November 30, 2025.

Blockchain data shows the attacker minted approximately 235 trillion yETH tokens in a single transaction. The malicious wallet then used these tokens to drain real assets from Balancer liquidity pools.

The exploit specifically targeted yETH, an index token consisting of various Ethereum Liquid Staking Derivatives. The attacker removed primarily ETH and liquid staking tokens from the affected pools.

Early estimates suggest the attacker profited around 1,000 ETH, worth approximately $2.8 to $3 million. The stolen funds were quickly routed through Tornado Cash, a cryptocurrency mixer used to obscure transaction trails.

Nansen’s alert system confirmed the attack as an infinite-mint vulnerability in the yETH token contract. The vulnerability did not affect Yearn’s main Vault infrastructure.

Yearn Vaults Remain Secure as Investigation Continues

Yearn Finance issued a statement confirming that its V2 and V3 Vaults remain secure and unaffected by the exploit. The vulnerability appears limited to the legacy yETH implementation.

The protocol’s Total Value Locked remains above $600 million, according to CoinGecko data. This suggests the core systems were not compromised during the attack.

The exploit involved several newly deployed smart contracts that self-destructed after the transaction. These helper contracts were deployed minutes before the incident to obscure the attacker’s trail.

Prior to the attack, the yETH pool had a total value around $11 million, according to Dexscreener data. The total financial losses remain under investigation.

The incident marks another security breach for Yearn Finance, which suffered a hack in 2021 affecting its yDAI vault. That attack resulted in $11 million in losses, with the hacker taking $2.8 million.

YFI Token Shows Unexpected Price Spike

YFI’s price spiked sharply following the exploit, climbing from near $4,080 to over $4,160 within an hour. The move came despite negative headlines surrounding the security breach.

Market analysts attribute the price spike to a short squeeze. Initial reports of a “Yearn exploit” prompted traders to open short positions on YFI.

When traders learned the attack was isolated to yETH and not Yearn’s main Vaults, short-sellers began covering positions. This triggered rapid buying pressure and volatility-driven price movement.

YFI’s circulating supply stands at only 33,984 tokens, making it one of the most illiquid major DeFi governance assets. This structure amplifies price movements during periods of uncertainty.

Derivatives data showed elevated funding volatility immediately after the exploit alert. For now, losses appear contained to the yETH and Balancer pools touched by the exploit.

The post Yearn Finance yETH Exploited for $3 Million in Unlimited Minting Attack appeared first on CoinCentral.