$9 Million Stolen: Analysis of the Yearn yETH Pool Vulnerability
Background On December 1, 2025, Yearn — a long-standing decentralized yield aggregation protocol — was exploited, leading to losses of roughly $9 million. The SlowMist safety workforce has performed the following detailed evaluation of the incident: Root Cause The vulnerability stems from the logic inside the _calc_supply operate used to calculate provide in Yearn’s yETH Weighted Stableswap Pool contract….