How catastrophic was the vulnerability that undermined Yearn Finance‘s legacy yETH implementation? The infinite mint vulnerability exposed profound structural deficiencies in the yETH token contract logic, permitting attackers to generate 235 trillion tokens through a singular transaction and exemplifying the catastrophic risks inherent in minting mechanisms that lack adequate safeguards. This exploitation of infinity tokens, facilitated by a fundamental mathematical error embedded within the smart contract architecture, enabled the attacker to circumvent established constraints designed to regulate token supply and maintain protocol integrity.
The infinite mint vulnerability exposed profound structural deficiencies, enabling attackers to generate 235 trillion yETH tokens through a singular mathematical error in smart contract architecture.
The attack mechanism commenced on November 30, 2025, at 21:11 UTC, when strategically deployed helper contracts exploited the unchecked minting vulnerability to accumulate astronomical quantities of yETH tokens, subsequently utilized to drain approximately $8 million from the Balancer StableSwap pool designated for liquid staking tokens. The attacker’s sophisticated approach involved self-destructing these auxiliary contracts immediately following the exploit, effectively obfuscating the attack vector and complicating forensic analysis. The exploit’s execution transpired with remarkable velocity, completely depleting the yETH stableswap pool within minutes and extracting substantial liquidity before remedial measures could be implemented. The Nansen alert system had confirmed the attack in real-time, providing early detection capabilities that enabled rapid response coordination among protocol stakeholders. Yearn’s security infrastructure had been previously enhanced following historical incidents, yet the legacy yETH contract remained vulnerable due to insufficient code review of older implementations.
Financial analysis reveals that approximately $9 million in aggregate assets were compromised during this incident, with roughly $3 million in ETH subsequently transferred to Tornado Cash for laundering purposes, thereby demonstrating the attacker’s deliberate efforts to obscure asset provenance. Yearn Finance subsequently recovered $2.4 million through operational and investigative procedures, partially mitigating the initial losses sustained. The protocol’s damage assessment confirmed that the vulnerability remained isolated to the legacy yETH implementation, with V2 and V3 Vault infrastructures remaining uncompromised and protocols constructed upon Yearn V3, including Katana, maintaining full operational integrity without exposure to the identified vulnerability.
The YFI token demonstrated notable price volatility following the exploit’s disclosure, escalating from $4,080 to exceeding $4,160 within a singular hour as short-sellers initiated position coverage activities subsequent to confirmation that the vulnerability possessed circumscribed scope. This historical incident augments Yearn Finance’s documented security challenges, adding to previous flash loan attacks totaling $22 million, while underscoring the protocol’s established pattern of addressing vulnerabilities through extensive user compensation mechanisms and institutional commitment to recovery operations.
