Yearn Finance yETH Pool Exploited: $3 Million in ETH Laundered Through Tornado Cash

Yield-farming protocol Yearn Finance confirmed an exploit on its yETH product on November 30, 2025, where an attacker minted an unlimited supply of yETH tokens and drained approximately $3 million in assets from connected liquidity pools. The stolen funds, valued at around 1,000 ETH, were subsequently laundered through the privacy mixer Tornado Cash, according to on-chain analysis.

Incident Details

The attack targeted an older implementation of the yETH stableswap pool on Balancer, allowing the exploiter to generate a near-infinite number of yETH tokens in a single transaction. This enabled the attacker to withdraw real assets, including ETH and popular liquid staking derivatives, leaving a roughly $2.8 million hole in the pool. Yearn Finance reported the incident on X, stating: “We are investigating an incident involving the yETH LST stableswap pool. Yearn Vaults (both V2 and V3) are not affected.”

Blockchain explorers show the exploit involved newly deployed smart contracts that self-destructed after execution, obscuring the trail. The attacker then fragmented the 1,000 ETH into smaller batches and routed them through Tornado Cash, a sanctioned protocol known for obfuscating transaction histories.

Yearn’s Response and Scope

Yearn emphasized that the vulnerability was isolated to an experimental yETH contract and did not impact its core V2 or V3 Vaults, which manage over $500 million in assets. The protocol maintains a live bug bounty program with rewards up to $200,000 for critical discoveries, though no immediate recovery path has been announced. A detailed report is forthcoming as the team continues its investigation.

Security firms tracking the event, including auditors reviewing Yearn’s legacy products, attributed the breach to a long-standing minting weakness in the yETH token logic rather than a flaw in the current vault architecture.

Broader Context in DeFi Security

This exploit is part of a challenging month for DeFi, where the sector lost approximately $127 million to hacks, scams, and vulnerabilities in November 2025, according to CertiK data. It underscores ongoing risks in older smart contract implementations, even for established protocols like Yearn, and the importance of deprecating legacy code.

Yearn’s transparent communication and isolation of the issue have been praised by the community, preventing a larger-scale disaster. The incident serves as a reminder for users to monitor protocol updates and avoid experimental products with unpatched vulnerabilities.

In summary, the Yearn yETH exploit drained $3 million in assets, with the attacker minting unlimited tokens and laundering funds via Tornado Cash. Yearn confirmed the issue is contained to an older contract, with no impact on core vaults, and is investigating further while maintaining its bug bounty program.