Yearn Finance details $9 million yETH exploit, confirms partial asset recovery and announces remediation plan

Odaily Planet Daily reports that Yearn Finance has released a detailed post-mortem report on last week’s yETH vulnerability exploit, revealing that a three-stage numerical error existed in its legacy stableswap liquidity pool. This flaw allowed attackers to “mint unlimited” LP tokens and steal approximately $9 million worth of assets from the pool. Yearn confirmed that, with assistance from the Plume and Dinero teams, it has successfully recovered 857.49 pxETH, roughly one quarter of the stolen assets. The team plans to distribute the recovered funds proportionally to yETH depositors. The decentralized finance protocol stated that the exploit took place at block 23,914,086 on November 30, 2025, with the attacker using a complex sequence of operations to force the internal parser of the liquidity pool into a divergent state, ultimately triggering arithmetic underflow. The attack targeted a custom stableswap pool aggregating multiple liquid staking tokens (LSTs) as well as a yETH/WETH Curve pool. Yearn emphasized that its v2 and v3 vaults and other products were not affected. To address these issues, Yearn has announced a remediation plan, including implementing explicit domain checks on the parser, replacing unsafe arithmetic with checked arithmetic in critical sections, and disabling bootstrapping logic after pool launch.