Yearn Finance is dealing with a new security breach after an attacker hit one of its old yETH token contracts and drained millions of dollars’ worth of ETH and staking assets from Balancer pools.
The attack targeted an outdated version of yETH that still had a serious flaw. This weakness allowed the attacker to mint unlimited yETH tokens. In one move, they created more than 235 trillion tokens — an amount that should never exist — and then used them to pull real assets from Balancer pools.
Right after the exploit, blockchain trackers saw close to 1,000 ETH move through Tornado Cash in several batches. The attacker still controls more assets worth several million dollars across multiple wallets.
Yearn says the issue is limited to old code
The yETH stableswap pool was completely drained within minutes, causing about $2.8 million in losses. Yearn confirmed that this problem only affects an old version of the yETH contract. It does not impact its newer V2 or V3 Vaults. Protocols built on Yearn V3 — like Katana — also said they are not affected.
Security researchers noticed that several helper contracts appeared right before the attack and then self-destructed as soon as the pool was emptied, making the incident harder to trace. Auditors who reviewed older Yearn products linked the exploit to a long-known minting weakness in the legacy yETH logic, not Yearn’s modern vault system.
Yearn runs an active bug bounty program that pays up to $200,000 for major security findings, but there is no update yet on any possible recovery.
Funds still moving on-chain
After the pool collapsed, on-chain analysts saw the attacker move 100 ETH at a time through Tornado Cash. These transactions added up to around 1,000 ETH, and more funds are still sitting in the attacker’s wallets.
Before the exploit, the yETH pool held around $11 million. Yearn says it is still calculating the final losses, but user funds in active vaults remain safe.
This attack adds another chapter to Yearn’s ongoing challenges with older contracts. It comes years after the 2021 yDAI exploit and a 2023 treasury misconfiguration that did not harm user deposits. After the news broke, YFI dropped about 4%, trading near $4,002.
