How Does Yearn Finance Work?

Yield|Risk C+|7 mechanisms|5 interactions

The original DeFi yield aggregator that automatically invests your deposits across lending and trading protocols to maximize returns. It manages $560M in deposits. Its C grade reflects four separate hacks across its history -- including two in 2025 targeting old vault code -- and the risk that a compromised admin key could redirect all vault funds instantly.

TVL

$208M

Sector

Yield

Risk Grade

C+

Value Grade

B-

Core Mechanisms

Yield/Vault-Aggregation

Multi-strategy vaults that deploy capital across DeFi protocols for optimised yield

Pioneer of vault-based yield aggregation. Vaults allocate capital to multiple strategies, auto-compounding returns. V2/V3 vaults hold the active TVL.

Yield/Strategy

Modular strategy contracts deployed by whitelisted strategists

Each vault can connect to multiple strategies. Strategies are written by community strategists and vetted through governance, but controller keys can redirect funds.

Admin/Controller

Controller role with authority to attach/detach strategies to vaults

Controller can connect a vault to any strategy at any time. A malicious or compromised controller could attach a draining strategy with no timelock.

Governance/Token

YFI governance token with fair launch distribution (no VC allocation)

YFI was fair-launched in 2020 with no pre-mine or VC funding. Governance controls vault parameters, fee structure, and treasury.

Fees/Performance

20% performance fee on vault profits plus 2% management fee

Standard hedge-fund-style 2/20 fee structure applied to DeFi vaults. Fees fund protocol treasury and strategist rewards.

Yield/Auto-Compound

Automated harvesting and re-deployment of accrued yield

Vaults periodically harvest strategy profits and re-deploy into the underlying strategies for compounding.

Legacy/Deprecated-Contracts

V1 and iEarn legacy contracts still holding residual funds

Legacy v1 vaults and iEarn contracts remain deployed with residual user funds. These have been the target of multiple 2025 exploits due to outdated logic.

How the Pieces Interact

Legacy v1 contractsActive strategy connectionsCritical

Outdated invariants and rate-update logic in legacy contracts create exploit vectors; the $9M yETH exploit leveraged stale contract logic to mint unbounded tokens.

Controller key authorityMulti-strategy vault compositionHigh

A compromised controller can redirect vault funds to a malicious strategy, draining all depositor capital with no warning or timelock protection.

Multi-strategy diversificationExternal protocol dependenciesHigh

Strategies deploy into third-party protocols (Aave, Compound, Curve); an exploit in any downstream protocol propagates losses to Yearn depositors.

Vault share pricingDonation/flash-loan attacksMedium

Share price calculated from vault balances can be manipulated via direct token donations or flash loans, as demonstrated in the TUSD vault exploit.

Auto-compound harvestingStrategy gas costsLow

Harvesting costs can exceed strategy returns in low-yield environments, creating negative-yield scenarios for smaller vaults.

What Could Go Wrong

  1. Four separate exploits confirmed: $11M DAI vault (Feb 2021), $9M yETH (Dec 2025), $300K TUSD (2025), and a March 2026 legacy v1 vault drain of ~$290K — establishing a persistent pattern of legacy code exploitation on Yearn infrastructure
  2. Controller/strategist key can connect vaults to arbitrary strategies, enabling fund drainage with no user warning period
  3. Multi-strategy vault composition increases attack surface — each additional strategy adds a potential exploit vector

Legacy Contract Exploit Chain

Elevated

Trigger: Attacker discovers exploitable invariant in remaining V1 or iEarn legacy contracts holding >$5M in residual user funds

  1. 1.Attacker exploits stale rate-update logic or outdated invariants in legacy V1 contract Unbounded token minting or withdrawal of assets beyond authorized share
  2. 2.Exploit drains residual funds from legacy vault (pattern: $9M yETH, $300K TUSD) Users who never migrated lose remaining deposits
  3. 3.Attack vector found to also apply to V2 vaults sharing similar code lineage Panic withdrawals from V2 vaults as users fear shared vulnerability
  4. 4.Mass vault withdrawals force strategies to unwind positions at unfavorable prices Strategy unwinding creates slippage losses; remaining depositors bear proportional cost
  5. 5.YFI token sells off on exploit news; fourth major exploit damages brand irreparably YFI drops 30%+; protocol loses competitive position to newer yield aggregators
See all 2 collapse scenarios in the full risk report →

Risk Profile at a Glance

Mechanism Novelty2/15
Interaction Severity8/20
Oracle Surface0/10
Documentation Gaps3/10
Track Record13/15
Scale Exposure5/10
Regulatory Risk2/10
Vitality Risk5/10
C+

Overall: C+ (38/100)

Lower score = safer

More on Yearn Finance

Is Yearn Finance Safe?

Safety analysis

Is Yearn Finance a Good Investment?

Value analysis

Full Risk Report

All mechanisms & interactions

Related Yield Explainers

How Does Piku DAO Work?D+How Does Alpaca Leveraged Yield Farming Work?C-How Does Re7 Labs Work?C-How Does AILayer Farm Work?C-How Does Alpaca Finance Work?C-