The popular DeFi protocol Yearn Finance is the latest to suffer an attack, in which an attacker made away with around $3 million worth of ETH from its yETH vault. The exploit was aimed at the protocol’s liquid-staking index token, yETH, allowing a hacker to mint close to infinity tokens and suck the pool dry in one transaction. According to blockchain analysis, the attacker exploited a vulnerability in yETH’s smart contract that combines these liquid staking tokens into a tradable index token. In a post on X, Yearn confirmed that the exploit was isolated to the yETH pool and its other vaults (V2 and V3) remain unaffected. Blockchain analysts are closely monitoring the network to determine if there is further suspicious activity. This is one of the ways a single bug in a complex DeFi product can result in significant losses. At this stage, the full magnitude of the loss is still being assessed. While the visible drain totals approximately $3 million, liquidity pools backing many users’ staked positions may also have been affected. Yearn acts after yETH breach, secures vaults Yearn Finance has confirmed that its yETH vault was hacked, although only the LST stableswap pool was impacted, and no other part of the code had been infiltrated. The company scrambled to assure its customers that its main vault products (V2 and V3) were still 100% secure and that the attack had not compromised them. The Yearn team states that it is conducting a thorough internal investigation to determine exactly how the exploit was executed and whether any other assets were affected. This involves auditing snippets of code, monitoring on-chain transactions, and collaborating with security professionals to ensure that no other mistakes remain undiscovered. The hack was first flagged by X user Togbe, who reported noticing the apparent attack while monitoring large transfers. “Net transfers suggest yETH super mint let the attacker drain the pool for some gain of 1k ETH,” Togbe said in a message. “Somehow, other eth was sacrificed in this, but they still made away with profit.” The breach serves as a crucial reminder about the risks that may be present in DeFi, including those for protocols with solid reputations and previous audit histories. Yearn’s response, characterized by openness to the public, active monitoring of developments, and its dedication to auditing, aligns with a protocol that prioritizes user security in decision-making, while continuing to explore all facets related to DeFi. DeFi protocols face rising threats from hackers The Yearn Finance yETH Pool attack isn’t an isolated occurrence; it’s symptomatic of a larger, exponentially growing trend that poses existential threats to the decentralized finance (DeFi) ecosystem. As recently reported by Cryptopolitan , in November 2025, the space lost approximately $127 million to hacks, scams, and exploits. According to experts, tech risk, rather than phishing or hacked wallets, has been the largest threat to DeFi projects so far – it appears that the majority of flash loan (and other) issues were due to smart contract code flaws. The yETH attack is an example that even highly used and audited platforms are not invulnerable. Protocol-inclusive protocols with feature-rich toolsets, such as Liquid Staking, Auto Token-Indexing, and Aggregate Quotations, can potentially expand the attack surface area, allowing protocol attacks to be compromised by a more sophisticated hack over time. And designed to be as efficient and slippery as possible for their intended customers, such systems can also inadvertently create doorways that even the bad guys will have noticed by now. The latest attacks have been similar, according to security experts. Hackers are now employing increasingly sophisticated and multi-stepped plays, utilizing incredibly agile, premeditated movements through self-destructing smart contracts. These self-destructing smart contracts are used to transfer the stolen funds via privacy-focused mixers like Tornado Cash. Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free .
