Key Highlights
- Yearn Finance recovered $2.4M of the $9M lost in the yETH exploit after coordinating with Plume and Dinero.
- The attack exploited a flaw in Yearn’s legacy yETH stableswap contract, draining over $8.9M across two pools.
- Yearn confirmed user reimbursements will begin soon as recovery efforts continue and a full post-mortem is prepared.
Yearn Finance has recovered $2.4 million of the $9 million lost in the yETH exploit that struck the protocol at the end of November, offering early relief to users affected by the attack.
The recovery was confirmed late on December 1, when Yearn said it successfully retrieved 857.49 pxETH through a coordinated effort with partners Plume and Dinero. All recovered funds will be returned to impacted depositors.
The exploit took place on November 30 at 21:11 UTC, targeting Yearn’s legacy yETH stableswap pool. Unlike most Curve-based pools, this contract relied on custom code, which contained a subtle arithmetic flaw.
Attackers used this vulnerability to mint a massive amount of yETH in a single transaction and then drained assets from two pools. Around $8 million was taken from the yETH stableswap pool and another $900,000 from the yETH–WETH pool on Curve.
Security teams respond quickly
Engineers from Yearn, SEAL 911, and ChainSecurity moved into an immediate “war-room” to contain the damage. While a portion of the stolen Ethereum was quickly laundered through Tornado Cash, making full recovery unlikely, investigators tracked several LST assets still linked to the exploiter’s wallets.
These traceable assets enabled Yearn and its partners to neutralize the attacker’s pxETH positions and redirect equivalent value back to users.
The protocol emphasized that no other Yearn products were impacted. Yearn’s V2 and V3 vaults, holding more than $600 million, run on different code paths and remained completely safe.
The team reported that recovery operations are ongoing and more assets can be retrieved provided there are on-chain opportunities.
Past incidents add pressure on DeFi security
The incident adds to a string of recent DeFi exploits. In late November, Prisma Finance and Raft Finance also reported losses due to contract flaws and compromised keys.
Curve itself suffered a major exploit earlier in the year because of a Vyper compiler bug, highlighting long-standing concerns about legacy contracts and the complexity of DeFi infrastructure.
What’s next for Yearn Finance
Yearn plans to release a full post-mortem once audit partners finalize their review. Users affected by the exploit can request support through Yearn’s Discord. The protocol is also examining older contracts to avoid such vulnerabilities.
Although YFI plummeted by about 10% following the exploit on November 30, the token regained part of its losses following the announcement of the partial fund recovery, which helped stabilize the mood regarding the ecosystem. At the time of writing, it was trading at $3,693, as per CoinMarketCap data.
Also Read: North Korea’s Lazarus Group Suspected in $32M Upbit Hot Wallet Hack
