Yearn Finance recovers $2.4M from a complex yETH hack as investigations continue, highlighting legacy DeFi risks and ongoing recovery efforts.
Yearn Finance has confirmed the recovery of $2.4 million from the recent yETH exploit. This is an important step in an ongoing mission to limit losses following a sophisticated attack that drained nearly $ 9 million from legacy contracts.
Yearn Confirms Partial Recovery After Complex Attack
This recovery was 857.49 pxETH according to Yearn’s update, which was secured by coordination with Plume and Dinero. The reclaimed assets will be returned to affected users. The exploit was based on the old yETH stableswap pool, as well as a smaller pool of yETH to WETH assets on Curve. The attack was of high complexity, not unlike the recent attack on Balancer, and demonstrated long-running dangers in outdated DeFi architecture.
yETH update: With the assistance of the Plume and Dinero teams, a coordinated recovery of 857.49 pxETH ($2.39m) was performed. Recovery efforts remain active and ongoing. Any assets successfully recovered will be returned to affected depositors.https://t.co/xaClNhd0C0
— yearn (@yearnfi) December 1, 2025
The incident happened on November 30 and took advantage of a custom pool through the use of nonstandard code. This custom contract had a serious arithmetic mistake. The flaw permitted the attacker to mint a vast number of yETH at a single step. The attacker then traded this minted supply for actual assets, depleting liquidity from both affected pools before investigators noticed the issue.
Related Reading: Yearn Finance Hack: Yearn Finance Suffers Major yETH Hack, ETH Sent to Mixer | Live Bitcoin News
Moreover, researchers traced almost 1,000 ETH, or approximately $3 million, through Tornado Cash. This movement hid some of the stolen funds. However, the attacker left other assets in a wallet, which made the recovery effort possible. The existence of these funds caused an opportunity for Yearn to negotiate the return of pxETH. Additionally, the attacker deployed temporary helper contracts, which destroyed themselves, making on-chain forensics more difficult.
As recovery efforts run on, Yearn has encouraged impacted users to seek support via Discord. The team said old contracts are under review to avoid any further problems. They also stressed that the exploit did not affect V2 or V3 vaults. These more advanced vaults have separate code paths and have the benefit of better security standards across the ecosystem.
Ongoing Investigation Highlights Legacy Risks in DeFi
Yearn’s report said that the targeted pool was using outdated logic no longer found in its core products. This older stableswap mechanism was used to manage invariants with some custom logic. This design had a numerical bug that was exploited by attackers. Furthermore, Yearn confirmed this was the third major hit to the protocol since 2021, showing that legacy components are still high-risk entry points.
Industry observers note that the attack has similar patterns in other recent DeFi hacks. Advanced adversaries are now increasingly combining numerical exploits with privacy tools and self-destroying contracts. These methods decrease traceability and test standard recovery workflows. However, even Yearn’s continued progress shows that concerted efforts are still leading to some success, particularly when the attackers leave something unprotected.
Moreover, the protocol emphasizes that compensation will not wait for the court process and long negotiations. This approach is to help support depositors as fast as possible and minimize disruption to users who relied on the historical Yearn infrastructure. Further recoveries could occur, provided on-chain conditions allow for further retrieval of assets.
In the meantime, DeFi experts say the incident also highlights the importance of retiring legacy contracts. They say older systems create more vulnerability in the system, particularly when various pools of liquidity are still alive in old and outdated pools. As the investigation continues, Yearn’s steps could lead other platforms to step up their audits and minimize exposure to similar liquidation-triggering failures at critical periods in the market.