They always come back, more inventive, more technical. Hackers have just struck a new blow in the crypto sphere. This time, it is Yearn Finance which is paying the price. Results: 9 million dollars gone. Behind the exploit, a bug of rare complexity in the yETH contract. On the surface, a simple swap. Deep down, mathematical chaos. And the worst thing is that this is not an isolated case.
In brief
- Yearn Finance loses 9 million due to a flaw in a personalized swap contract.
- The technical bug: a division omitted in the calculation of the virtual balance product.
- The attacker uses temporary contracts to drain assets and cover their tracks.
- A single transaction is enough to pocket 100% of the liquidity of the affected yETH pool.
When arithmetic explodes: a bug worth millions
On November 30, a user was able to mint 2.35 × 10³⁸ yETH thanks to a subtle flaw in the smart contract's swap() function. This contract was supposed to maintain a balance rule between tokens. Except that a critical division was omitted from the formula. Result: the vb_prod variable got carried away. Like a speedometer stuck in overspeed, she deceived the protocol about her own health.
The exploit was confirmed by PeckShield, which warned in a tweet that nearly $9 million had been lost. Part of the funds – around 3 million in ETH – was sent via Tornado Cash, a famous cryptographic mixer used to cover their tracks. The rest is still sleeping on the hacker's address.
The severity of the bug is not a simple oversight. Like theexplained Ilia.eth on X :
Today's exploitation of the $yETH pool was not a flash loan attack on the price, but rather a structural collapse of the AMM's internal accounting. Here's a technical analysis showing how a simple forgotten split led to a complete protocol drain.
This flaw is cruelly reminiscent of the precedent of Balancer, where poor management of rounding caused similar chaos. Same cause, same effect: uncontrolled monetary creation, followed by a legitimate but destructive withdrawal.
“Helper contracts” to raze the architecture of Yearn Finance
It's not just the bug that impresses. This is the engineering of the attack. In a single transaction, the hacker orchestrated everything: deployment of “helper contracts”, minting of tokens, conversion into ETH, transfer of funds, and self-destruction of the contracts to erase the traces.
According to Blockscout, each helper contract executed a targeted call to the vulnerable function, then sent the ETH to a master wallet before disappearing. A strategy worthy of a film heist, where the robber erases his digital fingerprints in the same second he acts.
The key address identified by several analysts is: 0xa80d…c822, currently still holding around 6 million in stETH, rETH and other Ethereum derivatives.
On X, William Li offers further reading :
The hacker did not actually withdraw all the yETH he had created, he only sold some of it into the yETH-ETH pool for 1,000 ETH (around $3 million) — which is much lower than the actual gain he made (P2).
More than a theft, it is therefore a controlled disintegration of the yETH protocol. And behind the attack, a deep mathematical knowledge, coupled with a cold and precise programming talent.
Crypto and trust: when code becomes the Achilles heel
Yearn Finance is far from being an amateur project. And yet, the flaw was detected neither by users nor by audits. This is where the matter becomes worrying for the entire crypto market. Because this type of error – a multiplication instead of a division – could exist elsewhere, lurking in other protocols.
The yETH contract structure is a hybrid between Curve and Balancer. Except that instead of recalculating at each transaction, it stores an intermediate state (vb_prod) supposed to be updated after each swap. A dangerous practice, according to Ilia.eth:
Storing the results of complex products (vb_prod) to update them incrementally is extremely risky. Errors accumulate, and the slightest logical bug can remain active indefinitely. It would be better to recalculate the invariants from the current balances.
The hack rekindles the debate: should we prioritize gas savings or rigor? One thing is certain: the consequences of botched arbitration now number in the millions. At Yearn, the time has come for remobilization: SEAL911, ChainSecurity and a post-mortem investigation are already on the front lines.
5 Key Facts About the Yearn Finance Exploit
- November 30, 2025: date of the hack;
- $9 million: estimated total losses;
- 2.35 × 10³⁸ yETH: artificially created tokens;
- 1 single transaction: the entire attack took place in one block;
- Helper contracts: deployed, used, then self-destructed.
Calculation errors in crypto are unforgiving. And for good reason: it was not one more audit that would have avoided the carnage. Balancer, despite 11 security audits, was also gutted by an almost twin bug. A simple multiplication factor can become a weapon of mass destruction when finance becomes programmable. Protocols have short memories, but blockchains forget nothing.
Maximize your Tremplin.io experience with our 'Read to Earn' program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.
