Odaily Planet Daily news: Yearn Finance has released a detailed post-mortem report on last week's yETH vulnerability attack, revealing that a three-stage numerical error existed in its legacy stableswap liquidity pool. This error allowed attackers to "mint unlimited" LP tokens and steal approximately $9 million worth of assets from the pool. Yearn confirmed that, with the assistance of the Plume and Dinero teams, it successfully recovered 857.49 pxETH, accounting for about a quarter of the stolen assets. The team plans to distribute the recovered funds proportionally to yETH depositors. The decentralized finance protocol stated that the vulnerability attack occurred at block 23,914,086 on November 30, 2025, during which the attacker used a complex sequence of operations to force the internal parser of the liquidity pool...

PANews, December 8—According to discussions on platform X, several developers believe that although the yETH attack was attributed to fuzzing, the actual attack path was complex and may have involved gradually amplifying the exploit after discovering the initial vulnerability. Curve founder Michael

According to Jinse Finance, monitored by SlowMist, on December 1, the decentralized finance protocol Yearn suffered a hacker attack, resulting in a loss of approximately $9 million. The SlowMist security team analyzed the incident and confirmed the root cause as follows: The vulnerability originated from the calcsupply function logic used to calculate supply in the Yearn yETH Weighted Stableswap Pool contract. Due to unsafe mathematical operations, the function allowed overflow and rounding errors during computation, resulting in a significant deviation in the product calculation between the new supply and the virtual balance. Attackers exploited this flaw to manipulate liquidity to specific values and excessively mint liquidity pool (LP) tokens, thereby profiting illegally. It is recommended to enhance boundary scenario testing and adopt securely verified arithmetic mechanisms to prevent similar protocol vulnerabilities.

PANews, December 1st news, Yearn tweeted that the recent yETH-related attack did not affect the yCRV product.

PANews, December 1st news, according to PeckShieldAlert disclosed on X platform, Yearn Finance was attacked, and the hacker exhausted the fund pool through infinite minting of yETH, resulting in a loss of about 9 million USD. About 1,000 ETH (approximately 3 million USD) were transferred to Tornado Cash, and the attacker's Address still holds encryption assets worth approximately 6 million USD.

PANews, December 1st news, according to The Block, Yearn Finance's aggregated staking token product yETH was attacked. The attacker exploited a vulnerability to mint yETH almost without limit, depleting the pool's assets in a single transaction. On-chain data shows that the attacker subsequently transferred approximately 1000 ETH (about 3 million USD) into the mixing protocol Tornado Cash. Multiple contracts used for the attack self-destructed after the transaction. The specific scale of losses is still unclear, and Yearn stated that it is investigating the incident, along with its V2 and V3.