- Yearn Finance experienced a $9 million exploit through an infinite mint attack on its yETH StableSwap pool.
- The attacker minted approximately 235 trillion yETH tokens by exploiting a maths bug, then drained nearly $9 million from the pool.
- The incident affected only the StableSwap pools, leaving Yearn’s major yield markets of over $410 million untouched.
- Losses from DeFi hacks have surpassed $2.5 billion in 2025, with infinite mint bugs among common attack methods.
- Yearn had previously lost $22 million from two flash loan exploits.
On Monday, the decentralized finance platform Yearn Finance suffered a $9 million exploit targeting its yETH liquid staking pool token. Onchain data shows the attack exploited Yearn’s custom StableSwap pool, a vault designed for trading liquid derivative staking tokens.
The attacker used a maths vulnerability in the yETH smart contract to trigger an infinite mint bug, creating about 235 trillion yETH tokens out of thin air, according to etherscan data. This allowed the attacker to inflate the token supply while maintaining the original price index. They then drained roughly $8 million from the StableSwap pool and swapped $900,000 worth of yETH for wrapped Ethereum. An additional $3 million in Ethereum was transferred to Tornado Cash.
Yearn confirmed on X that the exploit was confined to the StableSwap pools and did not affect the protocol’s primary yield markets, which hold deposits exceeding $410 million. This event follows the recent $128 million loss experienced by another DeFi protocol, Balancer.
The affected smart contracts had undergone multiple audits from blockchain security firms, including a recent ChainSecurity audit. Despite such reviews, maths errors like infinite mint bugs can be overlooked, leaving protocols vulnerable. These bugs allow attackers to mint tokens endlessly by exploiting calculation flaws.
This incident adds to the escalating losses seen across the crypto sector in 2025. Data from DefiLlama reports that over $2.5 billion has been stolen from exchanges and DeFi platforms so far this year. Infinite mint bugs have been used in attacks on other projects like Wormhole, Abracadabra, and Harmony.
Previously, Yearn had suffered two flash loan attacks, resulting in combined losses of about $22 million. These recurring exploits highlight ongoing security challenges faced by DeFi projects.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Bitcoin plunges from $93K to $80K amid crash fears, volatility rises
- Strategy dismisses bitcoin pullback panic, cites $55.8B BTC reserve
- Michael Burry Calls Tesla “Ridiculously Overvalued,” Shares Dip 1%
- Bitcoin Falls Below $86K, $637M Liquidated Amid Market Turmoil
- Bitcoin Drops to $86K as XRP Slides Following Crypto Crash
