Yearn Finance starts asset recovery after $9 million exploit on November 30

Yearn Finance has started the recovery process for funds that were stolen when a $9 million exploit hit its yETH stableswap pool on November 30.

The DeFi protocol announced it successfully clawed back $2.39 million worth of assets, which are to be returned to affected depositors.

As reported by Cryptopolitan, the exploit occurred at 21:11 UTC, and it targeted a custom version of stableswap code. Yearn Finance confirmed that its main V2 and V3 vault products weren’t affected by the incident and remain secure for users.

Yearn Finance recovers $2.39 million in coordinated effort

The protocol announced the recovery of 857.49 pxETH, valued at $2.39 million, through a collaborative operation with the Plume and Dinero teams. Yearn Finance stated that the process of recovery is still ongoing, and any other assets recovered will be returned to the affected depositors.

The clawback operation comes just days after the initial exploit. A war room with SEAL911 and audit partner ChainSecurity remains active as the full postmortem investigation continues. The security response involves tracking the movement of stolen assets and working to prevent further losses.

yETH update: With the assistance of the Plume and Dinero teams, a coordinated recovery of 857.49 pxETH ($2.39m) was performed. Recovery efforts remain active and ongoing. Any assets successfully recovered will be returned to affected depositors.https://t.co/xaClNhd0C0

— yearn (@yearnfi) December 1, 2025

The $9 million exploit breakdown

Collectively, the two pools lost around $9 million. The heaviest impact was taken by the stableswap pool that was affected, which lost about $8 million. Curve also suffered, as the yETH-WETH Stableswap was drained for another $900,000.

The attacker used a vulnerability that could mint a large number of yETH tokens. According to early analysis from Yearn Finance, the hacker minted about 235 trillion yETH without providing necessary collateral.

By using the inflated token balance, the attacker was able to swap the unbacked yETH for legitimate liquid staking assets such as stETH, rETH, and cbETH from the stableswap pool and wrapped Ethereum from the Curve pool.

Legacy pool vulnerability exposed

This contract was a customized version of one of the popular stableswap codes and was independent of the rest of the Yearn Finance products. The protocol stressed that no other Yearn product uses similar code to what was compromised in the attack.

The vulnerability involved an older, legacy contract related to the yETH token. That allowed the attacker to mint new tokens without the necessary collateral backing, essentially creating tokens out of thin air.

Yearn Finance explained that the initial analysis places this hack at a similar level of complexity to the recent Balancer exploit. The yETH stableswap pool was not connected to the main Yearn V2 and V3 vault infrastructure, which helped isolate the hack and thus stop the exploit from spreading to its core products.

Attacker launders funds through a mixer

The attacker, within hours of the exploit, started to move stolen assets in order to obscure their trail. About 1,000 ETH, worth approximately $3 million, was subsequently transferred into crypto mixing service Tornado Cash.

As of December 1, approximately $6 million of stolen funds remained in the attacker wallet address 0xa80d.c822. The remaining funds were comprised primarily of staked ETH derivatives that had not been laundered yet.

The Yearn Finance team put out clear statements indicating that the core products of their vaults were not susceptible to the exploit. V2 and V3 vaults lie in a separate smart contract, with their codebase different from that of the affected legacy pool.

Users who had funds in Yearn V2 and V3 vaults did not have to do anything. The protocol explained that the incident that occurred on November 30 affected only depositors in the particular yETH stableswap pool.

November crypto security incidents

The Yearn Finance hack closed out a difficult month for crypto security. November 2025 saw nearly $200 million in losses across multiple high-profile platforms and protocols.

The month’s largest incident was a $134 million exploit of Balancer, caused by a rounding error in smart contract logic. South Korean exchange Upbit suffered a hot wallet compromise that resulted in losses between $30 million and $38 million.

Other November incidents included a $3.1 million smart contract takeover at GANA Payment and approximately $5 million in losses at Hyperliquid from price manipulation.

If you're reading this, you’re already ahead. Stay there with our newsletter.