DeFi Faces Mathematical Challenge: Yearn Retrieves $2.4M Following $9M Unlimited Token Breach

Yearn Finance Recovers Millions After Major yETH Exploit

Yearn Finance, a trailblazer in decentralized finance (DeFi), has managed to reclaim roughly $2.4 million in assets that were stolen during a recent breach of its legacy yETH stableswap pool. The attacker took advantage of a severe arithmetic vulnerability in the yETH token contract, enabling them to mint an extraordinary 2.3544×10⁵⁶ yETH tokens—essentially creating an unlimited supply to siphon liquidity from the protocol. The total losses from this incident are estimated at nearly $9 million, and recovery efforts are still underway.

Details of the Attack

This marks the third time Yearn has been targeted since 2021. The exploit was made possible by a flaw in the arithmetic logic of the yETH contract, which allowed the perpetrator to manipulate the token supply and extract genuine assets from liquidity pools. To carry out the attack, the hacker deployed self-destructing helper contracts—an established method in sophisticated DeFi exploits. These contracts executed the malicious minting and withdrawal process before erasing their code to cover their tracks. Among the stolen assets were 1,000 ETH and several liquid staking tokens, some of which were funneled through the Tornado Cash privacy protocol to obscure their origin.

Yearn’s Response and Security Measures

According to Yearn’s post-incident review, the breach was limited to the outdated yETH product and did not impact the newer V2 or V3 vaults, which together hold over $410 million in user deposits. The team has assured users that all recovered funds will be returned to those affected, with 857.49 pxETH already retrieved thanks to partnerships with security experts SEAL 911 and ChainSecurity. The vulnerability was classified as highly complex and resulted from an oversight in the contract’s arithmetic safeguards.

Market Impact and Industry Implications

The market’s reaction to the exploit was mixed. Yearn’s governance token (YFI) initially fell by 4.4% following the news but later surged to $4,160 as traders covered short positions amid thin liquidity. This event highlights ongoing security challenges in DeFi, particularly as attackers increasingly target outdated contracts that remain active even after being deprecated.

DeFi Security Challenges in 2025

The yETH incident adds to a difficult year for DeFi, with total losses from hacks and exploits surpassing $2.5 billion so far in 2025. CertiK’s November report noted $127 million in losses for that month alone, including a $116 million breach of Balancer caused by similar arithmetic flaws, as reported by CryptoNews. Yearn’s experience underscores the dangers inherent in complex smart contracts, where even small errors can result in massive financial damage.

Ongoing Efforts and Future Safeguards

In response, Yearn has suspended the compromised yETH router and introduced a $500,000 bug bounty to encourage further security reviews. The team is collaborating with Chainalysis to track the stolen assets and has implemented real-time monitoring to detect suspicious minting activity. While Yearn’s main infrastructure remains secure, this incident serves as a stark reminder for DeFi projects to remain vigilant, especially when maintaining legacy systems.