Yearn Finance, a prominent DeFi yield aggregator, fell victim to a sophisticated exploit targeting its legacy yETH stableswap pool—a custom contract aggregating liquid staking tokens (LSTs) like stETH, rETH, and cbETH.
The attacker exploited a critical vulnerability in the yETH token contract, specifically an “unchecked arithmetic” bug combined with a cached storage issue in the packed_vbs array.
This allowed them to deposit just 16 wei the smallest unit of ETH and mint an astronomically large supply of yETH—approximately 235 septillion tokens 2.3544 × 10^56, effectively infinite.
Register for Tekedia Mini-MBA edition 19 (Feb 9 – May 2, 2026): big discounts for early bird.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab: From Technical Design to Deployment (next edition begins Jan 24 2026).
With this inflated supply, the attacker swapped the unbacked yETH for legitimate assets in a single transaction, draining: $8 million from the main yETH stableswap pool. $900,000 from the related yETH-WETH pool on Curve Finance.
The total loss clocked in at around $9 million. The attacker then laundered over $3 million in ETH through Tornado Cash, a privacy mixer, and staked the remaining ~$6 million in LSTs likely to delay recovery efforts.
Yearn’s team confirmed the exploit was isolated to this legacy pool and did not affect its core V2/V3 vaults, which hold over $410 million in deposits. No direct user funds in active strategies were impacted, but depositors in the affected pool suffered losses.
The bug stemmed from outdated code in a customized StableSwap implementation. It enabled infinite minting without proper collateral checks, turning a math error into an “infinite money glitch.” This is the third major Yearn exploit since 2021, following two flash loan attacks that cost $22 million combined.
Security firm PeckShield flagged it first, noting the single-tx nature of the drain. By December 2, Yearn recovered $2.4 million in pxETH a Plume Network LST through coordination with Plume and Dinero teams. The remaining funds are being tracked, with the attacker’s wallet still holding mixed assets.
Yearn’s post-mortem highlights similarities to the recent Balancer exploit in complexity. Crypto hacks have exceeded $2.5 billion in losses for 2025 alone. ETH prices dipped ~5% post-exploit, reflecting DeFi jitters. Yearn emphasized that newer products use audited, safer code, but the incident underscores risks in legacy contracts.
This exploit serves as a stark reminder for DeFi users: Always audit interactions, diversify pools, and monitor for outdated deployments. Yearn’s quick isolation prevented wider damage, but it highlights ongoing challenges in securing complex LST ecosystems.
Ryan Whitney’s $30K Loss on Dave Portnoy’s GREED Token
In a recent admission that’s gone viral in crypto circles, Ryan Whitney—a former NHL player and co-host of the Spittin’ Chiclets podcast—revealed he lost $30,000 chasing gains on GREED, a Solana-based meme coin launched by Barstool Sports founder Dave Portnoy in February 2025.
Whitney shared the story candidly, turning it into a humorous yet brutal lesson on the perils of hype-driven tokens.The BackstoryPortnoy, notorious for his chaotic crypto forays, launched GREED on February 18, 2025, branding it as a satirical nod to “extreme greed” in meme coins—complete with a Gordon Gekko (Wall Street) meme.
He scooped up 357.9 million tokens 35% of supply for ~$358,000 worth of SOL, pumping the market cap to $41.5 million. But just 30 minutes after denying dump plans on X Spaces even claiming he tried to burn supply, Portnoy sold his entire stake in one transaction, crashing GREED 99% from $0.03 to under $0.003.
Portnoy’s Haul: He pocketed ~$258,000 in profit, then pivoted profits to JAILSTOOL and launched GREED2 which hit $28 million cap before tanking 90%. Traders got wrecked—one sniped 911 SOL $153,000 early, only to sell for 309 SOL ($52,000), losing $101,000 in hours. Crypto sleuths like ZachXBT slammed it as a “rug pull worse than native influencers.”
He FOMO’d in during the hype, drawn by Portnoy’s Barstool clout and the token’s cheeky theme. As one X user quipped: “Imagine telling your kids you lost money on something literally called GREED. The market has a sense of humor. Dark one, but still.”
His story resonates as a relatable gut-punch—$30K isn’t chump change, especially for a high-profile athlete admitting it publicly. Portnoy warned “don’t invest more than you can afford to lose,” but his rapid exit amplified the irony. Whitney’s tale echoes broader 2025 meme coin carnage, where influencers like Portnoy fuel pumps then bail.
Whitney’s no newbie, but it shows even pros get burned chasing narratives. Key takeaway: Size small he didn’t overexpose, set exits, and remember meme coins are zero-sum gambling. Both stories capture crypto’s wild duality—innovation in DeFi meets reckless speculation in memes.