On November 30, 2025, at approximately 21:11 UTC, a sophisticated attacker exploited a critical vulnerability in Yearn Finance’s yETH Weighted Stableswap Pool, making off with approximately $9 million in liquid staking derivatives and wrapped Ethereum. The incident highlights the persistent dangers of unsafe mathematical operations in DeFi smart contracts — a class of bugs that continues to plague even well-established protocols with years of operational history. Bitcoin traded at $86,300 and Ethereum at $2,800 at the time of the attack, underscoring the significant value at risk in Ethereum-based DeFi pools.
The Exploit Mechanics
The root cause of this attack lies in the _calc_supply function within Yearn’s yETH Weighted Stableswap Pool contract. This function calculates the total LP token supply when the pool is fully balanced. The vulnerability stems from unsafe mathematical operations — specifically, the function lacks proper overflow and underflow checks during iterative supply recalculation.
The yETH pool is an Automated Market Maker (AMM) pool composed of various Ethereum liquid staking derivatives (LSTs), including wstETH, rETH, cbETH, and others. Each LST asset has an associated rate provider, and the asset balance multiplied by its rate produces a “virtual balance” (vb). The contract maintains a variable D representing total LP token supply, with any increase or decrease resulting in proportional minting or burning of yETH tokens.
The attacker’s strategy was methodical and multi-phase. First, they executed a flash loan to borrow large amounts of LST assets. Part of the WETH was swapped to ETH and deposited into Tornado Cash. When the attacker withdrew funds from Tornado Cash, the fallback function of the malicious contract initiated the core attack sequence.
Inside the malicious contract, the attacker called update_rates to update rate providers for six LST assets and rebalance pool liquidity. They then used 800 WETH to mint yETH LP tokens. What followed were five consecutive cycles of removing and re-adding liquidity. During removal, yETH was burned and all eight LST assets were redeemed based on their weights. However, during re-addition, the attacker only supplied liquidity for some assets — deliberately omitting cbETH, wOETH, and mETH.
After the fifth liquidity manipulation cycle, the total virtual balance product (vb_prod) was updated to zero, and the supply variable D was updated to a value close to the total virtual balance (vb_sum) — significantly larger than expected. The attacker successfully minted approximately 235 trillion yETH tokens without providing the necessary collateral backing, then swapped these unbacked tokens for legitimate assets including stETH, rETH, and cbETH.
Affected Systems
The primary target was the yETH Weighted Stableswap Pool, which lost approximately $8 million. A connected Curve yETH-WETH Stableswap pool was also drained for an additional $900,000. The attacker’s wallet address (0xa80d…c822) held approximately $6 million in remaining stolen funds following the initial laundering of roughly 1,000 ETH ($3 million) through Tornado Cash.
Critically, Yearn Finance’s core V2 and V3 vault products were not affected. The compromised contract was a customized version of stableswap code that operated independently from the rest of the Yearn ecosystem. No other Yearn product uses similar code to what was compromised in this attack.
The Mitigation Strategy
Yearn Finance responded rapidly to the incident. A coordinated “war room” was established with SEAL911 and audit partner ChainSecurity. The protocol successfully recovered 857.49 pxETH, valued at approximately $2.39 million, through a collaborative operation with the Plume and Dinero teams. Recovery efforts remain active and ongoing, with all recovered assets earmarked for return to affected depositors.
The recovery leveraged clawback mechanisms available through specific token contracts — the pxETH recovered was possible because the Plume and Dinero teams had the ability to freeze and return tokens that had not yet been fully laundered by the attacker.
Lessons Learned
This incident reinforces several critical security principles for DeFi protocols and users alike. First, legacy contracts that have not been re-audited against modern Solidity best practices represent a significant attack surface. The unsafe math operations at the heart of this exploit would have been caught by modern auditing tools and the Solidity 0.8+ built-in overflow checks.
Second, the complexity of AMM math — particularly in stableswap pools that use iterative supply calculations — creates opportunities for subtle vulnerabilities that may not be apparent in standard code reviews. Protocols should implement rigorous formal verification for any contract handling mathematical calculations that determine token minting and burning.
Third, the isolation of the compromised pool from Yearn’s core products proved crucial in limiting the blast radius. Well-architected separation of concerns in DeFi protocols is not merely good engineering — it is an essential security measure.
User Action Required
Users who had funds deposited in the yETH Stableswap Pool should monitor Yearn Finance’s official channels for updates on the recovery process. Users of Yearn V2 and V3 vaults are not affected and no action is required. All DeFi users should verify that their deposits are in actively maintained and recently audited contracts, and avoid legacy pools that have not undergone contemporary security review.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
flash loan to borrow LST assets, swap to ETH, tornado cash withdrawal, then trigger the attack via the fallback function. methodical and well planned
lst_bag_ the tornado cash withdrawal triggering the fallback function is the clever part. the attacker hid their attack contract execution inside a legit-looking withdrawal flow
formal verification would have caught the unchecked supply recalculation before deployment. how many more $9M exploits before it becomes standard for vault contracts
It is wild that we are still seeing supply manipulation via basic arithmetic errors in high-TVL pools in 2026. These stableswap invariants are incredibly sensitive to even minor rounding discrepancies or unchecked math operations. Yearn has a solid track record, but this highlights why formal verification is becoming non-negotiable for any vault strategy involving complex token pairs.
Defi_Doctor exactly. unchecked math in iterative supply recalculation is a known pattern. Curve had similar concerns years ago. how does Yearn still miss this
Curve switched to safe math years ago and Yearn reimplementing stableswap without it is inexcusable. this was a known failure pattern
vault_audit_ Curve had similar supply manipulation concerns years ago and switched to safe math. Yearn reimplementing stableswap invariants without those protections is negligence
Ouch, $9M is a heavy hit for the yETH ecosystem. I have always been a fan of the Yearn vaults, but these nested pool risks are getting harder to track as a retail user. Definitely going to be more cautious with my LSD positions until the post-mortem clarifies if other stableswap implementations are vulnerable to similar math exploits.
Ser_Wags the nested pool risk is exactly right. wstETH, rETH, cbETH all in one pool with shared rate providers. one bad rate and the whole thing blows up