DeFi Exploit: Yearn Finance yETH Pool Hacked for $3 Million via ‘Super-Mint’ Flaw
Yearn Finance has suffered a serious attack on its yETH product, allowing an attacker to siphon off roughly one thousand ETH — nearly $3 million — by exploiting a flaw in the mechanics of the stableswap pool. The exploit enabled the creation of a virtually limitless amount of yETH in a single operation, after which the attacker swiftly drained liquidity and partially obscured the trail through Tornado Cash. Although the pool had held around $11 million before the incident, Yearn Finance’s primary vaults — V2 and V3 — remained untouched.
Blockchain data shows that the attack was orchestrated through a series of newly deployed smart contracts created solely for rapid execution and immediate self-destruction. This design allowed the attacker to inflate the yETH supply, withdraw assets, and erase critical transactional evidence. A representative of Yearn Finance confirmed the breach, while stressing that the damage was confined to the LST pool and that the platform’s core infrastructure remains secure. The team is continuing to investigate the precise circumstances of the incident.
The first to raise the alarm was a user known as Togbe, who spotted suspicious activity while monitoring large on-chain movements. According to him, the “super-mint” of yETH served as the attacker’s primary mechanism for emptying the pool, yielding approximately one thousand ETH in profit, though a small portion of the funds was lost along the way. Experts view the event as part of a growing surge in DeFi exploits: in November alone, the sector lost more than $127 million to hacks, scams, and vulnerability exploitation, with smart contracts overtaking phishing and wallet attacks as the foremost systemic risk.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
