On November 30, unknown attackers targeted the Yearn Finance protocol, resulting in a total loss of $9 million, according to blockchain security experts PeckShield.
#PeckShieldAlert Yearn Finance @yearnfi suffered an attack resulting in a total loss of ~$9M.
The exploit involved minting a near-infinite number of yETH tokens, depleting the pool in a single transaction.
~1K $ETH (worth ~$3M) was sent to #TornadoCash, while the exploiter’s… pic.twitter.com/IXNygpwoWa
— PeckShieldAlert (@PeckShieldAlert) December 1, 2025
Details
The project team confirmed the hack, emphasizing that it was due to a vulnerability in the Yearn Ether (yETH) product code.
At 21:11 UTC on Nov 30, an incident occurred involving the yETH stableswap pool that resulted in the minting of a large amount of yETH. The contract impacted is a custom version of popular stableswap code, unrelated to other Yearn products. Yearn V2/V3 vaults are not at risk.
— yearn (@yearnfi) December 1, 2025
According to PeckShield, the attackers minted nearly infinite tokens, draining the entire pool in a single transaction of 1000 ETH (~$3 million).
The stolen funds were immediately sent by the hackers to the crypto mixer Tornado Cash.
Yearn developers stated that the affected contract is a custom version of popular stableswap code, not linked to other protocol products. Yearn V2/V3 remain secure, they emphasized.
Preliminary data indicated the following approximate losses:
- $8 million from the affected stableswap pool;
- $0.9 million from the yETH-WETH stable swap pool on Curve.
“Initial analysis showed that the complexity of the hack is similar to the recent Balancer exploit, so please be patient as we conduct our analysis. No other Yearn product uses code similar to the one affected,” the project team added.
Impact
Following the incident, the Yearn token — YFI — fell by 5.5%. At the time of writing, the asset is trading around $3900 with a market capitalization of $132.6 million.
TVL of the protocol decreased from $432 million to $410 million over the past day. At its peak in November 2021, the figure was $6.7 billion.
This latest incident is not the first hack of Yearn. In 2021, an unknown party extracted $2.8 million from the v1 yDAI pool. The project promptly compensated affected users for their losses.
In December 2023, due to a “faulty scenario” in a multisig transaction, the protocol lost 63% of its treasury funds in the Lp yCRV pool. The incident occurred during a “routine token fee conversion process” and resulted in the exchange of 3,794,894 yCRV for 779,958 yvDAI. The team clarified that the loss amounted to $1.4 million.
In November 2025, on-chain researcher tanuki42 discovered an undisclosed hack of the market maker DWF Labs for $44 million.