Yearn Finance Initiates Fund Recovery Following $9 Million Exploit
Yearn Finance has embarked on the recovery of funds stolen during a significant exploit that impacted its yETH stableswap pool on November 30, resulting in a loss of $9 million. The decentralized finance (DeFi) protocol announced a successful retrieval of $2.39 million in assets, which will be returned to the users affected by the breach. Reports indicate that the exploit took place at 21:11 UTC, targeting a customized version of the stableswap code. Fortunately, Yearn Finance confirmed that its primary V2 and V3 vault products remained secure and unaffected by this incident.
Successful Recovery of $2.39 Million Through Collaborative Efforts
The protocol revealed that 857.49 pxETH, valued at $2.39 million, was recovered through a joint effort with the Plume and Dinero teams. Yearn Finance emphasized that the recovery process is still ongoing, and any additional assets retrieved will also be returned to the impacted depositors. This recovery operation was initiated shortly after the exploit, with an active war room involving SEAL911 and audit partner ChainSecurity working on a thorough post-mortem investigation. Their security measures include monitoring the movement of the stolen assets and implementing safeguards to prevent further losses.
Details of the $9 Million Exploit
In total, both pools affected lost approximately $9 million, with the stableswap pool suffering the most significant hit, losing around $8 million. The yETH-WETH Stableswap also faced a loss of $900,000. The attacker exploited a vulnerability that allowed for the minting of an excessive amount of yETH tokens without adequate collateral. Initial analyses from Yearn Finance indicate that the hacker minted roughly 235 trillion yETH tokens, which were then exchanged for legitimate liquid staking assets like stETH, rETH, and cbETH from the stableswap pool, as well as wrapped Ethereum from the Curve pool.
Exposed Vulnerability in Legacy Pool
The compromised contract was a modified version of a widely used stableswap code and was not linked to other Yearn Finance products. The protocol reassured users that no other Yearn offerings utilized similar code to that which was breached. The vulnerability stemmed from an older contract associated with the yETH token, allowing the attacker to create new tokens without the essential collateral backing, essentially fabricating tokens. Yearn Finance noted that the complexity of this hack is comparable to a recent exploit involving Balancer. The isolation of the yETH stableswap pool from the core V2 and V3 vault infrastructure was instrumental in preventing the exploit from affecting other products.
Funds Laundered Through Mixer
In the hours following the exploit, the attacker began moving the stolen assets to obscure their identity. Approximately 1,000 ETH, valued around $3 million, was funneled into the crypto mixing service Tornado Cash. As of December 1, around $6 million of the stolen assets remained in the attacker’s wallet address, primarily consisting of staked ETH derivatives that had yet to be laundered. The Yearn Finance team reassured users that their core vault products were not vulnerable to the exploit. The V2 and V3 vaults operate under a different smart contract with distinct code from the compromised legacy pool. Thus, users with funds in Yearn V2 and V3 vaults were not required to take any action. The incident on November 30 specifically impacted depositors in the yETH stableswap pool.
November’s Crypto Security Challenges
The Yearn Finance hack concluded a challenging month for crypto security. November 2025 witnessed nearly $200 million in losses across various prominent platforms and protocols. The most significant incident was a $134 million exploit of Balancer, attributed to a rounding error within smart contract logic. Additionally, the South Korean exchange Upbit experienced a hot wallet breach resulting in losses estimated between $30 million and $38 million. Other notable incidents included a $3.1 million smart contract takeover at GANA Payment and around $5 million in losses at Hyperliquid due to price manipulation.
