- Yearn Finance suffered an infinite mint attack.
- The attacker targeted a custom StableSwap pool.
- Yearn lost $22 million in two previous flash loan exploits.
On Monday, DeFi protocol Yearn Finance suffered a $9 million exploit that affected the project’s yETH liquid staking pool token.
Onchain data shows the attack targeted Yearn’s StableSwap pool, a custom vault for trading liquid derivative staking tokens.
On X, Yearn confirmed that the malicious exploit affected only the StableSwap pools and that its major yield markets, with more than $410 million in deposits, weren’t impacted.
The incident comes on the heels of the $128 million loss suffered by Balancer, another DeFi pioneer protocol.
Like Balancer, the affected smart contracts had also been audited by several blockchain security firms.
The attack also adds to mounting losses for crypto investors from hacks and exploits this year.
$2.5 billion
Bad actors have already looted more than $2.5 billion from crypto exchanges and DeFi protocols in 2025, according to data from DefiLlama.
The Yearn attacker turned a maths bug in the yETH smart contract into an infinite-money glitch.
This type of glitch tricks the affected protocol into allowing a bad actor to inflate a token’s supply while still assuming the correct pricing index.
The Yearn exploiter used this vulnerability to mint about 235 trillion yETH out of thin air, onchain data shows. With the inflated supply in hand, the attacker targeted the custom StableSwap pool, which initially held about $11 million worth of liquid staking tokens.
The attacker drained about $8 million from the pool in a single transaction, then swapped $900,000 worth of yETH for wrapped Ethereum.
They also sent $3 million worth of Ethereum to Tornado Cash.
Infinite money bug
Bad actors have used infinite mint bugs to attack other DeFi protocols and blockchains in the past, including Wormhole, Abracadabra and Harmony.
They are a subset of maths errors in smart contracts, alongside rounding mistakes that lead to loss of precision.
Maths errors are often missed by blockchain security auditors, leading to instances where even heavily audited protocols still fall victim to malicious exploits.
Yearn has previously suffered two flash loan attacks, resulting in losses totalling $22 million.
Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. Got a tip? Please contact him at osato@dlnews.com.
