🔍 What happened with Yearn / yETH?
On November 30, 2025, Yearn confirmed that its pool/contract "yETH LST stableswap" was exploited.
The vulnerability allowed an attacker to perform an "infinite mint" of yETH — that is: they created an practically unlimited amount of fake yETH tokens.
With those fake tokens, the attacker immediately exchanged them for real assets — mainly ETH and other staking-derived tokens — draining the liquidity of the "legacy" yETH pool in just a few minutes.
According to reports, the total loss is estimated at ≈ US$ 8 to US$ 9 million.
Part of the stolen funds — around 1.000 ETH (about ≈ US$ 3 million at the time) — were quickly sent to a mixer (Tornado Cash), apparently to hide traces.
Yearn claims that only the “legacy pool” of andETH was affected: their current main products — the “Vaults V2/V3” — were not impacted.
Immediately after the attack, that pool was isolated. The protocol authorities and security analysts began a post-mortem audit to determine the failure and trace responsibilities.
✅ What is known for sure — official confirmations?
That there was an exploit against andETH, with “infinite mint” of tokens.
That real assets were drained: ETH and liquid staking tokens.
That the estimated damage is around US$ 8–9 million.
That Yearn's main products/“Vaults” are not compromised (at least according to their official version).
That assets were partially recovered: an initial recovery of about US$ 2.4 million linked to the exploit was reported.
#YearnFinance #YearnFinanceTurbulence
⚠️ What are the risks and what changes for users / for DeFi?
This incident has several risk aspects and consequences for the DeFi community:
🔐 Systemic technical vulnerability: an “infinite mint” implies a serious logical failure in the contract — not a minor error. This shows that even large and audited protocols can have critical gaps, which affects trust in complex smart contracts.
🚨 Loss of liquidity and trust in “composite” or “liquid staking + pools” products: andETH combined staking derivatives (LST) with liquidity, which adds layers of complexity: vulnerabilities in any of those layers can have cascading effects.
💵 Real losses for part of the community: if there were users in that specific pool, they could see their deposits affected. Although Yearn claims it isolated the pool, not all users manage to exit in time.
🧑⚖️ Damaged reputation — trust in security diminished: when an exploit hits a recognized protocol, many people will reevaluate their trust in DeFi, in smart contracts, and prefer more conservative custody or simpler products.
🔁 Possible increase in audits, strict reviews, less rapid innovation: DeFi developers and projects may become more cautious, slowing down new releases, innovation, or adding regulatory / due diligence brakes.
🔎 What is worth following closely now
What the Yearn audit / “post-mortem” reveals: what kind of error allowed the “infinite mint”, and whether it was a known (or new) vulnerability.
If Yearn manages to recover more funds — they have already recovered ~US$ 2.4 million, but there is still a stretch left.
How the DeFi community reacts: whether there are confidence revolts, capital flight to protocols considered “safe”, or if liquidity in staking/LPs drops.
If other projects with similar structures review their contracts to avoid similar vulnerabilities: it could serve as a technical wake-up call for the entire ecosystem.
Impact on the protocol's token price (if applicable), and on tokens related to staking or DeFi — confidence drops usually affect not only the protocol but also the general sentiment.
This hack on Yearn's andETH demonstrates that — despite its popularity and track record — DeFi protocols remain very vulnerable to code failures. The exploit was serious, with million-dollar losses, and although the “main Vaults” survived, market trust may be hurt. It is a wake-up call for investors, developers, and users: innovation in DeFi comes with real risks, and there is no guarantee of total security.
