Yearn Finance’s legacy V1 infrastructure fell victim to a sophisticated flash loan attack on December 16, 2025, resulting in a $300,000 loss that exposes the persistent dangers of abandoned smart contracts still holding user funds. Security firm PeckShieldAlert first identified the anomaly, tracking the attacker as they moved stolen stablecoins through multiple DeFi protocols before converting everything to 103 ETH, worth approximately $305,000 at current prices near $2,964 per ETH.
The Exploit Mechanics
The attack began with the attacker withdrawing $203,491 worth of TUSD from Aave Protocol V1 alongside a modest $4,068 USDC loan from dYdX. The critical move came with a flash loan of nearly $245,906 in TUSD from Aave Protocol V2, giving the attacker enough capital to manipulate the legacy iEarn TUSD pool. The stolen funds moved rapidly across Curve and Yearn Finance, swapping four different tokens and shifting millions in stablecoins through interconnected DeFi infrastructure. Large transfers included $30 million from Morpho, $10 million from Yearn, and $11 million through Curve’s DAI/USDC pool. The attacker paid remarkably low fees for the entire operation—just $611 in Ethereum and 0.01 ETH worth approximately $29.60 at the time of the attack.
Affected Systems
The exploit targeted iEarn’s immutable TUSD contract, deployed over 2,100 days ago in 2020. This contract predates Yearn’s modern Vault system and has been effectively deprecated for years. Yearn Finance confirmed that its V2 and V3 Vaults, currently holding over $410 million in combined assets, remain entirely unaffected by the exploit. The problem is exclusive to the iEarn legacy contract and does not impact current Yearn contracts or vaults. However, the incident mirrors a similar 2023 iEarn USDT hack that led to multiple Curve pools being exploited, impacting liquidity providers downstream. Historically, Yearn’s legacy V1 Vaults wrapped affected LP tokens, meaning some users may have indirectly felt the consequences even if they never directly interacted with the iEarn contract.
The Mitigation Strategy
Yearn Finance responded quickly by publicly confirming the scope of the exploit and clearly delineating which contracts were affected versus unaffected. The team emphasized that this is an issue with immutable, deprecated code that cannot be patched or upgraded—by design. This follows a pattern of proactive recovery efforts; in late November, the yETH stableswap pool suffered an $8 million loss from an arithmetic flaw, and Yearn successfully recovered $2.4 million in December through coordinated efforts with partners Plume and Dinero. For users, the mitigation strategy is straightforward: migrate all funds from V1 contracts to the actively maintained V2 and V3 vaults. Any remaining liquidity in iEarn-era contracts should be considered at elevated risk.
Lessons Learned
This incident underscores several critical security principles for DeFi participants. First, deprecated does not mean disabled—immutable smart contracts continue to exist and hold funds long after their creators have moved on to newer versions. Second, flash loan attacks remain one of the most efficient exploitation vectors in DeFi, requiring minimal upfront capital and offering near-zero risk to the attacker. Third, interconnected DeFi protocols create cascading risk: a vulnerability in one legacy contract can ripple through Curve pools, Morpho markets, and other linked systems. As Bitcoin trades near $87,844 and the broader crypto market navigates significant ETF outflows of $357.6 million, these risks become amplified during periods of heightened market stress.
User Action Required
If you have any remaining funds in Yearn V1 or iEarn contracts, withdraw them immediately. Verify that your deposits are in V2 or V3 vaults by checking the Yearn Finance dashboard. Review any LP positions that may have exposure to legacy iEarn tokens through wrapped positions. Enable transaction notifications on wallets connected to DeFi protocols, and consider using on-chain monitoring tools like PeckShield or Forta to receive real-time alerts about exploits affecting protocols you use. The crypto security landscape demands constant vigilance—especially when it comes to legacy infrastructure that no longer receives active maintenance or security audits.
This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
Bridge security is still the weakest link in the ecosystem
Multi-sig wallets should be the default for everyone in crypto
Bug bounties are the most cost-effective security investment
Formal verification should be mandatory for high-value protocols