Yearn Finance Hit by New Exploit as Attacker Mints Trillions of yETH Tokens

Source: DefiPlanet Original Title: Yearn Finance Hit by New Exploit as Attacker Mints Trillions of yETH Tokens Original Link:

Quick Breakdown

• Attacker exploited a legacy yETH contract to mint over 235 trillion tokens and drain Balancer pools.
• At least $3M has moved through Tornado Cash, with more funds still linked to the attacker’s wallets.
• Yearn says its V2 and V3 vaults remain secure, limiting the impact to outdated infrastructure.

Infinite-mint attack drains millions from balancer pools

Yearn Finance is grappling with a fresh security breach after an attacker abused a long-standing flaw in its legacy yETH token contract. Late on November 30, the exploiter triggered an infinite-mint vulnerability that allowed them to generate more than 235 trillion yETH tokens in a single transaction, a supply far beyond what should exist.

We are investigating an incident involving the yETH LST stableswap pool.

Yearn Vaults (both V2 and V3) are not affected.

Armed with this massive token batch, the attacker rapidly drained Balancer pools holding real assets, including ETH and major liquid staking derivatives. The yETH stableswap pool was drained within minutes, resulting in an estimated $2.8 million deficit.

Incident confined to old yETH product, not modern vaults

Yearn Finance confirmed that the issue stemmed from an outdated version of its yETH logic, stressing that the flaw does not affect its V2 or V3 vaults. Protocols built on Yearn V3, such as Katana, also reported zero exposure.

Security analysts noted that a cluster of helper contracts appeared briefly before the attack and self-destructed once the pools were drained, an evasive tactic commonly used to blur on-chain traces. Early reviews suggest the exploit originated from a known minting weakness in the legacy contract, not Yearn’s current architecture.

The protocol maintains an active bug bounty program offering up to $200,000 for critical findings, though no recovery plan has been announced.

Funds routed through Tornado Cash amid ongoing movement

On-chain watchers, including researcher Togbo, reported that the attacker moved ETH in batches of 100 through Tornado Cash shortly after the exploit. Roughly 1,000 ETH was mixed within hours, while additional assets worth several million dollars remain in the attacker’s wallets.

The yETH pool held around $11 million before the breach. Yearn reiterated that user funds in active vaults are safe, even as the final loss figures are still being tallied.

The incident adds to Yearn’s history of handling legacy risks, following its 2021 yDAI exploit and a 2023 treasury misconfiguration.