A security breach at Yearn Finance has seen a malicious actor exploit a flaw in the legacy yETH token contract to mint over 235 trillion tokens. This resulted in the draining of millions from Balancer pools and a significant loss for the protocol. The attack, which happened on November 30, 2025, affected an outdated version of Yearn’s yETH product, but not its modern vaults (V2 or V3). Affected assets were drained from the yETH stableswap pool within minutes, resulting in estimated losses of $2.8 million. The attacker swiftly moved funds through Tornado Cash after the exploit. While user funds in active vaults remain safe, the incident underscores Yearn’s ongoing efforts to manage legacy risks and potential vulnerabilities.
Yearn Finance has confirmed that its V2 and V3 vaults are not affected by this issue. This is just another example of how vital it is for DeFi protocols like Yearn to prioritize security updates and address known vulnerabilities to prevent attacks from impacting users’ funds.