Yearn Finance, a prominent decentralized finance protocol, suffered a $9 million exploit on December 1, 2025, marking another significant vulnerability in a platform that has experienced three major security breaches since 2021. The attack targeted the yETH stableswap pool, a custom implementation of stableswap code, utilizing sophisticated multi-stage manipulation tactics that exposed fundamental weaknesses in the protocol’s architecture and validation systems.
The exploit mechanism demonstrated exceptional capital efficiency, representing one of the most economical attacks in DeFi history. The attacker orchestrated flash loans from Balancer and Aave to obtain multiple staking derivatives, including wstETH, rETH, WETH, ETHx, and cbETH. Through sequential deposit-withdrawal cycles, the attacker poisoned the protocol’s internal state by accumulating phantom balances within the packed_vbs[] storage array. This manipulation permitted the virtual balance system to be leveraged for near-infinite minting of yETH LP tokens, culminating in a single transaction that minted 235 septillion tokens with minimal capital input—approximately 16 wei, equivalent to roughly $0.000000000000000045.
Flash loans enabled near-infinite minting of yETH tokens through phantom balance accumulation, representing one of DeFi’s most capital-efficient attacks ever executed.
The underlying technical vulnerability centered on the yETH pool’s inadequate handling of extreme scenarios and precision control mechanisms. The protocol failed to properly reset cached values following withdrawals, and logical branching flaws created exploitable edge cases that permitted token minting with negligible deposits. The attack commenced on November 30, 2025, at 21:11 UTC, with the exploit transaction executing within hours of the initial breach attempt. The zero-amount remove_liquidity operations executed vb_prod calculations despite the amount parameter being zero, enabling the attacker to trigger state corruption without meaningful asset withdrawal. Yearn developers confirmed via official channels that no other Yearn products use code similar to the affected custom stableswap contract.
Fund movement data reveals the attacker transferred 1,000 ETH to Tornado Cash, with an additional 1,600 ETH directed to exploiter-linked addresses. The attacker retained approximately $6 million in assets, including ETH, stETH, and Rocket Pool and Lido derivatives. Yearn Finance subsequently confirmed that V2 and V3 vaults remained unaffected, though the incident recovery yielded only $2.39 million in pxETH. The breach underscores the increasing sophistication of DeFi attacks, where flash loans serve as catalysts for exploiting multi-vulnerability combinations. Industry observers emphasize that such incidents demonstrate the critical necessity for robust logical verification, enhanced edge scenario validation, and thorough protocol auditing before deployment.
