yETH Exploit Discussion

Mig · 3 December 2025 14:19

Hey everyone,I’m just a regular user (not a contributor or team member) who had some skin in yETH and has been following everything since the exploit.Quick recap:

On November 30, 2025 the legacy yETH token and its pools were hit by an infinite-mint exploit.

Total initial loss was ~$9M ($8M from the Balancer weighted pool + ~$900k from the Curve yETH-WETH pool). Thanks to fast whitehat actions and partner coordination, ~$2.4M has already been recovered and returned to the pools. More recovery efforts are still ongoing (some paths look promising, some are long shots), but nobody knows yet how much additional funds will actually come back.Official report (worth reading):

Even with potential extra recoveries, the losses for depositors are still very real right now, and the same question keeps coming up everywhere:
Should the DAO consider compensating affected users (fully, partially, or not at all) once the final recoverable amount is known?I’m starting this thread because:

Waiting until 100% of possible recoveries are exhausted could take weeks or months
In parallel, it makes sense to openly discuss sentiment and possible options on the actual governance forum instead of letting it stay scattered on Twitter/Discord

Looking to hear from:

affected depositors
YFI holders
contributors (when you have time)

No proposal, just trying to get the conversation in one place while recovery work continues in the background. Thanks for keeping it civil.(Team; happy to be corrected on any detail.)

crypto-ali · 3 December 2025 15:03

Thanks for starting this discussion. I’m both a yETH depositor and YFI holder. I am for making the depositors whole. There are a few different ways that the protocol could make up the shortfall of the total lost minus recoveries to date (~$6.6 million in ETH).

The obvious source to cover the shortfall would be the Yearn Treasury. However, there are other options that I have shared in Discord. One option would be for Yearn to secure a loan to cover the shortfall. Similar to what Resupply did with Yearn recently. See YIP-86.

Another option could be minting more YFI to sell for ETH to cover the shortfall. If this route was chosen, it could also be possible to allow veYFI holders first access to the printed YFI at a set discount to current spot price for a few days to allow interested veYFI holders to purchase some to avoid some dilution. After that period passed, if there was any minted YFI left over, Yearn could sell it into the market for ETH.

Lastly, it may make sense to combine some of these options to make up the shortfall.

Delta6111 · 3 December 2025 17:18

Thanks for starting this mig. I am also for making the victims whole if this is sustainable for the protocol’s finances.

I thought to lay out some views, taking the standpoint of the protocol’s fundamental interests. Trust is essential to Yearn’s position within DeFi. It’s why there’s good money for the security budget, and so much thought put into incentivising security contributors.

For Yearn to reach scale again, we must aim to be a “fire and forget” suite of products that depositors can put their money in, without being completely on the hook for security lapses outside their control. It follows that we cannot work on the basis of fine print “caveat emptor” (buyer beware) logic. To get from $600m TVL back to billions, depositors must feel assured that there is adequate recourse when things go wrong (as they will), not just that “the code has been audited”.

The $11m compensation back in 2021 helped sustain momentum into Defi summer, and helped anchor Yearn’s reputation not just as best-in-class in security, but also with fair play in mind. Safeguarding Yearn’s reputation is still important today - it allows Yearn to capture the risk-averse market segments who want to park large volumes of capital for a small premium.

In evaluating the force of this argument, it matters what the size of the compensation is. Past a certain scale, there is no way for the DAO to provide full compensation. But at smaller scales, if the DAO can provide compensation without compromising core ops or the roadmap, not providing adequate compensation would be a very bad look.

The question is how we can structure the compensation to be aligned with the DAO’s interests - both reputational and actual. Given how many of us are also YFI holders, we want Yearn to succeed.

Agree with the foregoing comments that a set of measures should be considered. Putting some views/ideas out there:

The ETH in the Treasury should be put towards like-for-like compensation.
The part of the security budget that should have been provided to yETH should be wholly put towards compensation.
A portion of the stables should be put towards compensation, after considering the needs of operating capital, and some safety margin for future payouts. One idea might be to use this to market purchase YFI, which would then to be released to the victims in a vesting schedule over two years (provides price support for YFI)
No new YFI to be issued, but some of the Treasury’s YFI (about 1000) could either be (1) vested to victims over some timeframe, or (2) be staked (after the move to st-YFI) under a special arrangement where revenue share goes to the victims. (2) has the advantage of there being no sell pressure on YFI.
Devote some of Yearn’s revenue (e.g. 10%) towards a compensation fund - whenever it reaches a certain sum (e.g. $100k), it is paid out to the outstanding pool of victims (which could be today’s victims, or future victims).

(3)-(5) would essentially be haircuts for the victims - mainly in the form of delayed compensation.

rgalloway · 4 December 2025 19:36

Hello everyone,

This past week has been extremely difficult for everyone affected by the yETH exploit. Many contributors were also yETH depositors, and we share the impact of this event personally. Since the incident, multiple teams across the ecosystem have been working around the clock to reconstruct exactly what happened, preserve evidence, recover assets, and build a clear path forward.

Current recovery status

We have successfully recovered 857.49 pxETH (~25% of the drained assets) with the assistance of the Plume and Dinero teams. These recovered funds will be distributed pro rata to all yETH depositors based on balances immediately prior to the exploit. A clear, secure claiming process will be published once the implementation is complete.

If additional funds are returned, whether by the exploiter or through further coordinated recovery, they will also be distributed pro rata.

Nothing is required from users at this stage. Please avoid interacting with unofficial links or forms.

Crucial safety warning

Snapshots have been taken at the block immediately preceding the exploit.

Do not buy yETH or st-yETH: Because the underlying LST assets in the pool were drained, both tokens should now be treated as having no remaining economic value.
No action is required: Buying, selling, unstaking, or moving tokens now will not change your claim amount.
Eligibility is already fixed: Your claim is determined solely by the on-chain state before the exploit.

Understanding yETH governance

Under YIP-72, yETH is a self-governed, permissionless product whose treasury and accounting are controlled by its depositors, not the Yearn DAO or YFI token holders. This means:

Contributors cannot unilaterally mint, reimburse, or modify user positions.
Any action beyond distributing recovered funds requires community governance and must take into account the scale of losses and the product’s design.

We are evaluating all possible paths within these governance constraints and will communicate openly as options become clearer.

Next steps

Our priorities now are:

Maximizing recovery of remaining assets
Publishing a clear, technically accurate post-mortem of the exploit
Providing a fair remediation and claims process for affected depositors
Hardening all invariant math, numerical guards, and architectural review processes across our protocols and teams

We will continue to provide updates as they become available.

We know this has been a devastating event. Thank you for your patience, your feedback, and your resilience as we work through this together.

Delta6111 · 4 December 2025 21:41

Thought to add some views on YIP72.

yETH was unfortunately not designed to the specifications under YIP72. Minting of yETH was only supposed to be possible upon the depositing of ETH , but the infinite mint exploit showed this was clearly invalid. Two quotes from YIP72:

<Background: “Yearn ETH (yETH) is minted when users deposit into a basket of various ETH Liquid Staking Tokens (LSDs).”>

<4. Minting Permissions

Only three smart contracts are allowed to mint yETH:

The Pool, holding LSD assets and minting yETH at a 1:1 ratio to the ETH equivalent of these assets.

The Bootstrapper, used to launch yETH, with minting enabled only for a limited time period.

The POL contract, providing protocol-owned liquidity in pools.>

If losses arose under conditions where yETH functioned correctly - e.g. LST depegging leading to a spiral, then this is rightly on st-yETH holders as a matter of our governance (i.e. not limiting risk, poor identification of LSTs).
But yETH did not function correctly. We were left holding a timebomb with a critical security vulnerability, with a code base that was immutable (i.e. could not and was therefore to be assumed that there need not be any upgrades).

The compact was that st-yETH holders would be responsible for losses stemming from our parameterised governance decisions, not something as fundamental as this.

Humpy · 5 December 2025 06:19

Kindly take cognizance of st-yETH balances in Balancer pool : https://balancer.fi/pools/ethereum/v2/0xcf8dfdb73e7434b05903b5599fb96174555f43530002000000000000000006c3

rgalloway · 6 December 2025 01:21

Post Mortem:

github.com/yearn/yearn-security

disclosures/2025-12-01.md

master

# Incident disclosure 2025-12-01

## Summary

- On Ethereum mainnet block **23,914,086**, the yETH weighted stableswap pool[[1]](#References) was exploited[[2]](#References).
- Yearn v2/v3 vaults and other Yearn products **were not affected**; The impact of this exploit was **isolated to the yETH product and its direct integrators**; 
- The exploitation involved a complex sequence of operations where the attacker first forced the pool’s internal solver into a divergent state, causing the product term (`Π`) to collapse to zero. This allowed the protocol to **over-mint yETH LP tokens** in the normal `add_liquidity` path.
- Using this over-minted LP, the attacker drained the underlying Liquid Staking Tokens (LSTs) through repeated rounds of withdrawals, **driving the pool’s internal supply to 0**.
- After emptying the stableswap pool, the attacker **re-entered the pool’s initialization branch** with dust deposits, triggering an arithmetic underflow that minted approximately **2.3544 × 10⁵⁶ yETH LP tokens**, which were then used to drain the yETH/ETH Curve pool.
- A coordinated recovery of **857.49 pxETH** was performed with the assistance of the Plume and Dinero teams[[5]](#References).
- yETH is *self-governed by its depositors* and not governed by Yearn or YFI. Under **YIP-72 §8: Use at Own Risk**[[7]](#References), contributors and governance are not liable for reimbursement. Any recovered assets will be redistributed to affected depositors.
- Recovery efforts remain active and ongoing.

---

## Background

**The yETH protocol is composed of three contracts working together:**

1.  **The yETH stableswap liquidity pool**, implementing a weighted multi-asset AMM over LSTs.

This file has been truncated. show original

Mig · 6 December 2025 14:28

I do want to push back gently on the “Use at Own Risk” clause from YIP-72 §8 that’s been referenced a lot (the one saying Yearn contributors and YFI holders “are not involved and will not compensate users for any critical failure”).

With respect, applying it here as a hard “no compensation” feels mismatched and honestly a bit disappointing.

Of course we’re all experienced crypto users, we know the risks, accept that full compensation might not be feasible, and aren’t expecting the treasury to be drained for every incident. That’s fine; DeFi is risky by nature.

But using that clause to justify zero help (beyond recovered funds) just doesn’t sit right, because this exploit wasn’t about the governable parts the clause seems designed to cover. Self-governance in yETH is mainly about voting on basket composition, which LSTs to include, their percentage weights, tolerance bands, etc. If we had voted badly and caused a depeg or slashing, fair enough: own the risk.

This was different. It stemmed from core implementation flaws that no st-yETH vote could ever touch or prevent. Those were deployment and design decisions made before launch.

yETH was marketed for over a year as one of Yearn’s flagship products—front-and-center on yearn.fi, heavily promoted as the smart ETH LST solution, with Yearn happily collecting its performance fee the entire time. It built real trust and TVL under the Yearn brand.

So when a core code bug (not a governance mistake) causes losses, leaning on a disclaimer to keep the treasury completely untouched feels more like legal shielding than the honest, fair-play spirit Yearn has always prided itself on.

I’m not demanding full reimbursement or anything that would hurt the protocol long-term. Some form of meaningful partial support would already go a huge way toward showing that Yearn stands behind its products when things go wrong for reasons outside users’ control.

Just my honest take as an affected depositor. Happy to discuss or refine idea

Nothing is decided yet, but seeing that clause mentioned so many times does seem to point in the direction things are heading.

My considerations can be evaluated reading the yETH discussione here: YIP-72: Launch yETH

Attaching a screenshot as example

crypto-ali · 8 December 2025 17:10

No new YFI to be issued, but some of the Treasury’s YFI (about 1000) could either be (1) vested to victims over some timeframe, or (2) be staked (after the move to st-YFI) under a special arrangement where revenue share goes to the victims. (2) has the advantage of there being no sell pressure on YFI.

How much YFI does Yearn’s Treasury hold?

crypto-ali · 10 December 2025 15:32

Looking at the Yearn treasury vault on Etherscan it looks like the treasury holds only a handful of YFI. Though I do see over 2,060 Curve upYFI Factory yVault (yvCurve-upYFI-f) but I’m not familiar with that vault.

*Edit to include Etherscan link.

Mig · 10 December 2025 15:47

you can check here for a better understanding: DeBank | Your go-to portfolio tracker for Ethereum and EVM

crypto-ali · 10 December 2025 16:15

I checked there as well. I only see about 11 YFI and the rest is upYFI.

0xPickles · 10 December 2025 19:02

quick update: I’m working on a proposal as an individual contributor, hoping to post in the next few days, will share a link here when I do

0xPickles · 12 December 2025 15:28

Proposal is up: https://gov.yearn.fi/t/proposal-yip-xx-yeth-optimistic-recovery-plan

Make sure to indicate support in the poll.

Feedback is welcome.

Topic		Replies	Views
YIP-90: yETH Optimistic Recovery Plan Proposals	25	486	21 December 2025
YIP-78: Partial Compensation Sonne Hack Victims Finance snapshot , rejected , yip	17	912	27 August 2024
YIP-72: Launch yETH Other Products (Labs) approved , yip	24	8845	3 May 2023
YIP-80: Sonne Hack Victims Revised Proposal Finance	2	432	14 November 2024
Proposal: the yETH-YFI-BULL strategy Other Products (Labs)	78	9845	31 December 2020

yETH Exploit Discussion

Current recovery status

Crucial safety warning

Understanding yETH governance

Next steps

Related topics