Gm to everyone who woke up to @yearnfi attack. Here's your morning note on what has happened ↓ When: November 30, 2025. Affected product: yETH (Yearn Ether) Losses: $8-9 million. Attack flow: • Deployment: Attacker deployed custom smart contracts designed specifically for this exploit • Execution Single transaction minted massive amounts of yETH tokens • Drainage: Used minted tokens to drain approximately $8M from the yETH pool and ~$900K from the yETH-WETH pool on Curve • Laundering: Transferred 1,000 ETH (~$3M) to Tornado Cash • Cleanup: Self-destructed attack contracts to remove evidence What was affected: ✅ yETH product only – the legacy liquid staking token aggregator ✅ yETH-WETH Curve pool – secondary impact What was NOT affected: ❌ Yearn V2 Vaults ❌ Yearn V3 Vaults ❌ Other Yearn products This guy → @Togbe0x → Helped to identify this early. Key lessons: • This case highlights the ongoing risk of legacy code in DeFi protocols • Demonstrates that even battle-tested protocols can have hidden vulnerabilities in older products • Shows the value of modular architecture – isolating products prevented contagion • The infinite mint vulnerability is a classic DeFi attack vector that continues to plague protocols • Proper access controls and mint limits are critical for token contracts Be safe.