Top 3 DeFi Incidents in December
Yearn Finance: ~$9M
On December 1, Yearn Finance’s yETH pool on Ethereum was exploited, resulting in total losses exceeding $9 million. With assistance from external security teams, about $2.39 million (857.49 pxETH) was successfully rescued on the same day.
The vulnerability resided in the _calc_supply() function, which used an iterative method to calculate new supply approximations. Unsafe math operations caused rounding errors and underflow issues. While the vulnerability itself appeared relatively straightforward, the attacker executed sophisticated steps to exploit it, manipulating the pool's supply down to zero before extracting profits.
Sixteen days later, the protocol suffered a second breach as an outdated contract from its legacy version (iEarn) was compromised. This incident exploited a known misconfiguration vulnerability previously identified in 2023. The second incident resulted in $300k in losses, bringing the protocol's total monthly impact to nearly $10 million.
Read official post-mortem for detailed attack analysis
Trust Wallet: ~$7M
On Christmas Day, Trust Wallet suffered a critical security breach in its Chrome extension (v2.68), resulting in the theft of approximately $7 million in user funds.
The root cause was a malicious backdoor injected into the codebase, suspected to have originated from a social engineering attack targeting the development team. This backdoor method uploads user memonics to an attacker-controlled server, compromising any memonics generated or imported using this specific version of the extension. The attacker subsequently drained user funds on multiple chains and routed them to non-KYC exchanges.
Following the incident, the Trust Wallet team released an emergency update to remove the backdoor and committed to a compensation plan for affected users. This breach serves as a stark reminder that security must span the entire protocol lifecycle. Beyond on-chain code audits, securing off-chain infrastructure and maintaining continuous monitoring are essential to safeguarding user assets.
Ribbon Finance: ~$2.7M
On December 12, Ribbon Finance on Ethereum was attacked, resulting in a loss of $2.7 million.
The root cause was improper access control in the setAssetPricer() function within the Oracle contract, allowing anyone to arbitrarily set asset prices. The attacker exploited this by first setting a legitimate-looking price oracle to avoid detection, as the protocol only settles options on whole-week intervals. After creating and purchasing a call option position, the attacker waited until the exercise date to upgrade the contract and replace the benign oracle with a malicious one that set an artificially inflated asset price, then exercised the option to extract profit.
This incident highlights that access control remains a critical aspect of smart contract security. A single oversight in permission management can expose protocols to significant risks. Comprehensive security audits that examine all administrative functions are essential before deployment to identify and address such vulnerabilities.
The information above is based on data as of 00:00 UTC, December 30, 2025.
This concludes the December security incidents brief
You can learn more in our Security Incidents Library.
Stay informed and stay secure!
