Business Sandesh Indian Newspaper | Articles | Opinion Pieces | Research Studies | Findings & News | Sandesh News
The decentralized yield optimizer Yearn Finance faced a gut-punch on November 30, 2025, as a cunning infinite-mint attack ravaged its legacy yETH liquid staking token (LST) stableswap pool, siphoning ~$9 million in assets. Flagged by on-chain sleuth @Togbe and PeckShieldAlert, the breach—unfolding in a blistering single transaction—exposed persistent risks in outdated DeFi plumbing, even as core vaults held firm.
At ~9:11 PM UTC, the attacker deployed ephemeral smart contracts to forge ~235 trillion yETH tokens, flooding Balancer liquidity pools and extracting real value: ~751 wstETH, 412 rETH, 203 cbETH (~$8M), plus $0.9M from the yETH-WETH Curve pair. The windfall—net ~1,000 ETH (~$3M at $3K/ETH)—was funneled straight to Tornado Cash’s obfuscating tumbler, with ~$740K in LSTs idling in attacker wallets (0x7a… on Etherscan). Self-destructing helpers masked the trail, per blockchain forensics.
Yearn’s official X dispatch (~11 PM UTC) reassured: “We are investigating an incident involving the yETH LST stableswap pool. Yearn Vaults (both V2 and V3) are not affected.” Managing $500M+ TVL, the team activated a $200K bug bounty, collaborating with auditors like OpenZeppelin for root-cause dissection—no patching timeline yet, but legacy code’s “long-standing weakness” drew ire.
This November nadir—$127–135M DeFi losses per CertiK, including Balancer’s $116M—spiked YFI 5.5% down to $3,900, trimming TVL from $432M to $410M. Community calls echo: Mandate multi-sig, invariant checks, and on-chain insurance amid #DeFiDead chants.
For liquidity providers: Monitor yfi.eth for reimbursements; affected LPs face impermanent loss until resolution. Broader lesson? High APYs (yETH’s 5%) lure, but legacy traps lurk—DYOR, audit trails, and diversify. As Yearn fortifies, the hack spotlights DeFi’s siren song: Yield’s promise, peril’s price.
