Yearn Finance recovers $2.4M following $9M yETH exploit

Yearn Finance has taken its first major step toward repairing the damage from its recent yETH exploit after securing a partial recovery.

Yearn Finance has recovered $2.4 million from the $9 million yETH exploit that hit the protocol at the end of November.

The update came late on Dec. 1, when Yearn confirmed that 857.49 pxETH had been recovered through a coordinated effort with Plume and Dinero, and that all retrieved funds will be returned to affected users.

The exploit that hit Yearn’s legacy yETH pool

The incident took place at 21:11 UTC on Nov. 30 and targeted Yearn’s legacy yETH stableswap pool, a contract powered by custom code rather than the standard Curve (CRV) implementation.

A subtle arithmetic flaw allowed the attacker to mint an enormous amount of yETH in one transaction, which they then used to drain assets from the affected pools. Roughly $8 million was taken from the yETH stableswap pool and another $900,000 from the yETH-WETH pool on Curve.

No other Yearn product used this contract, and V2 and V3 vaults, which hold more than $600 million, were not touched. Engineers from Yearn, SEAL 911, and ChainSecurity entered a war-room immediately after the breach, and a full post-mortem is underway.

Part of the stolen Ethereum (ETH) was quickly laundered through Tornado Cash, limiting the chances of full recovery, but several LST assets tied to the attacker’s wallets were still traceable during the window that followed the exploit. That is where Yearn focused its efforts.

How Yearn recovered $2.4M and what happens next

The pxETH recovered in the latest update was still within the attacker’s reach and had not been mixed or converted. Working with Plume and Dinero, Yearn neutralized the exploiter’s pxETH positions and redirected equivalent value back to the protocol.

This will allow affected depositors to be compensated without waiting for courtroom processes or lengthy negotiations. The team said recovery efforts are still active and that additional assets may follow if on-chain options allow it.

Users who were impacted can request support through Yearn’s Discord while the investigation continues. The protocol has also reiterated that none of its other products share this code path and that old contracts are being reviewed to prevent similar issues.

The quick communication has helped steady sentiment around Yearn’s ecosystem, especially after YFI’s sharp drop following the attack. The token later pared some losses as details of the recovery were made public. 

Yearn is expected to release its full post-mortem once the audit partners finalize their review, and the team has already pointed users to its documentation outlining its vulnerability disclosure framework and audit history.