Yearn Finance, DeFi’s once-untouchable yield juggernaut, just got gutted for $9 million in a lightning-fast exploit that drained its yUSDT vault on November 30, 2025, with the attacker already funneling $3 million through Tornado Cash and scattering the rest across 47 wallets in a textbook post-exploit money-laundering sprint.
The breach hit at 03:17 UTC when a malicious contract impersonating a trusted Yearn strategy exploited a reentrancy vulnerability in the vault’s deposit function, minting unlimited shares and withdrawing underlying USDT in a single swoop. PeckShield and BlockSec confirmed the root cause within minutes: an outdated proxy implementation that failed to block recursive calls during balance updates. The attacker funded the operation with a $20K flash loan from Balancer, amplified the attack 400x, and walked away with $9.03 million before anyone could blink.
Yearn’s emergency multisig paused deposits instantly, but the horse had already bolted.
On-chain sleuths watched in real time as $3 million hit Tornado Cash’s 100 ETH pools, $2.1 million crossed to Bitcoin via THORChain, and the rest scattered across Railgun, Aztec, and fresh Binance deposits. ZachXBT’s thread calling it “one of the cleanest Yearn exits ever” racked up 300K views in an hour, while the attacker’s wallet boldly left a transaction memo: “gg no re.”
Yearn founder Andre Cronje broke silence on X: “Funds are safu for all other vaults. Affected pool only. Full postmortem in 24h. We will make users whole from treasury if needed.” YFI dumped 12% to $7,800 on the news, dragging CRV and other governance tokens down 8–15% in sympathy. DeFi TVL shed $1.8 billion in hours as spooked money fled to Ethereum mainnet staking.
This is Yearn’s third nine-figure exploit since 2021, pushing cumulative losses past $30 million and reigniting the “is DeFi still too risky?” debate. Insurance protocols like Nexus Mutual saw claim filings spike, but coverage for this vault was under 4%.
For the industry, it’s another black eye: $2.8 billion stolen in 2025 alone, with reentrancy bugs still haunting even the most audited blue-chips. As one anon trader put it, “Yearn just paid $9M tuition again—when does the lesson stick?”
The attacker’s still on the run, funds still moving. The yield game just got a lot more expensive.
Want more breaking stories like this every single day?
Head straight to the homepage of www.Token10x.com and www.Token10x.blog right now — bookmark both sites, drop your comments, share with your crew, and never miss the next big move in crypto. See you there! 🚀