Yearn Finance details $9 million yETH exploit, confirms partial recovery and outlines remediation plan
Yearn Finance detailed a $9 million yETH exploit caused by a numerical bug, confirmed partial fund recovery, and outlined a remediation plan.Summary
Decentralized finance protocol Yearn Finance published a post-mortem detailing a $9 million exploit on its yETH weighted stableswap pool, which occurred on November 30, 2025, due to a numerical bug leading to an arithmetic underflow and an 'infinite mint' path.
The attack involved three phases: forcing the pool's solver into a divergent state via imbalanced deposits, over-minting LP tokens, and finally triggering an unsafe subtraction that caused a massive minting of yETH LP tokens used to drain the yETH/WETH Curve pool. Yearn confirmed that only yETH and its direct integrations were affected, while v2 and v3 vaults remained secure.
Yearn has recovered 857.49 pxETH so far, which will be distributed pro rata to affected depositors, though the protocol explicitly states that Yearn contributors and YFI governance are not liable for reimbursement under YIP-72. The remediation plan includes enforcing domain checks, replacing unsafe arithmetic, gating bootstrap logic, and enhancing testing with fuzzing and adversarial cases.
(Source:The Block)