How did a vulnerability in a single stableswap contract allow attackers to drain approximately $9 million from Yearn Finance on November 30, 2025? The exploit targeted a modified stableswap contract specific to yETH tokens, which operated independently from Yearn’s core vault infrastructure. Unlike the secure V2 and V3 vaults that remained fully operational, this peripheral contract contained critical arithmetic and accounting bugs that enabled attackers to mint effectively infinite tokens with negligible collateral backing.
The attacker minted approximately 235 trillion yETH tokens supported by only 16 wei, a minuscule fraction of ETH value. This massive discrepancy between token supply and actual collateral resulted from a fundamental flaw in the contract’s accounting mechanisms. The exploit leveraged multiple deposit-withdraw cycles to corrupt the contract’s internal state, creating phantom balances that the system could not properly track or validate, allowing the attacker to extract real value against virtually nothing.
Phantom balances from corrupted internal states enabled attackers to extract real value against virtually nothing through deposit-withdraw cycles.
The attack employed sophisticated techniques including flash loans from Balancer and Aave pools, which provided substantial capital without requiring upfront funds. Self-destructing smart contracts obscured transaction trails during execution, while multiple wallet addresses distributed stolen assets to complicate tracking efforts. The attacker successfully siphoned approximately 1,000 ETH worth $3 million, along with various staked ETH derivatives including over 750 wstETH, 400 rETH, and 200 cbETH tokens. The vulnerability exploitation was facilitated by arithmetic bug in the contract code that validators failed to identify during initial reviews. The incident occurred at 21:11 UTC on November 30, marking another critical security event for the protocol.
Approximately $6 million in assets remained in attacker wallets initially, though roughly $2.4 million was eventually recovered through coordinated efforts with security firms including PeckShield, Plume Network, and ChainSecurity. The attacker laundered around 1,000 ETH through Tornado Cash privacy mixers and bridged additional stolen funds to Bitcoin to evade detection across blockchain networks.
Yearn Finance responded swiftly by isolating the affected protocol and confirming that core vault systems remained uncompromised. The organization initiated clawback procedures and maintained transparency with stakeholders throughout recovery efforts. This incident underscores the importance of rigorous contract auditing and the distinction between well-tested core protocols and peripheral systems that may contain undiscovered vulnerabilities requiring immediate security review.
