Security

Yearn Finance yETH Pool Drained Exploiting Stale Storage Cache

Unvalidated state transitions in the yETH pool's custom stableswap logic allowed an attacker to mint infinite tokens, resulting in a $9M capital drain.
December 4, 20253 min

A luminous, ice-like sphere, resembling a miniature moon, is centrally positioned on an advanced metallic platform. Surrounding the sphere are fine, light blue crystalline particles, with darker blue concentrations near its base, while blue vapor drifts around the structure
A detailed macro shot focuses on the circular opening of a translucent blue bottle or container, showcasing its internal threaded structure and smooth, reflective surfaces. The material's clarity allows light to refract, creating bright highlights and subtle gradients across the object's form

Briefing

A critical vulnerability in a custom stableswap contract for the Yearn Finance yETH pool on Ethereum has resulted in a $9 million asset drain. The exploit leveraged a flaw in the protocol’s internal accounting, specifically where cached storage variables were not reset after the pool’s total supply was depleted. This state inconsistency allowed the threat actor to execute a highly capital-efficient attack, minting an astronomical 235 septillion yETH tokens from a negligible 16 wei deposit to deplete the pool’s underlying assets. This incident confirms the extreme risk inherent in complex, non-standardized smart contract logic that attempts gas-saving optimizations.

A futuristic, intricate mechanical structure, composed of metallic rings, springs, and layered elements in white, silver, and dark grey, encloses a vibrant, gradient cloud-like substance. This substance transitions from dense white at the top to deep blue at the bottom, suggesting dynamic movement within the core

Context

The prevailing risk factor in the decentralized finance (DeFi) ecosystem remains the use of complex, custom-forked contracts that introduce subtle state management vulnerabilities. This incident targeted a bespoke stableswap implementation, which, in an effort to reduce gas costs, utilized cached storage variables to track virtual balances. The known attack surface for this class of protocol is the failure to explicitly handle all possible state transitions, particularly the edge case where a pool’s total supply is zeroed out.

A dark blue, spherical digital asset is partially enveloped by a translucent, light blue, flowing material. This enveloping layer is speckled with numerous tiny white particles, creating a dynamic, abstract composition against a soft grey background

Analysis

The attack vector exploited a “Cached Storage Flaw” in the contract’s logic for calculating the share price upon the first deposit into an empty pool. The attacker first executed multiple deposit-and-withdrawal cycles to deliberately leave residual, phantom balances in the gas-optimized packed_vbs storage variables. They then withdrew all remaining liquidity, correctly setting the total token supply to zero but leaving the cached virtual balance variables populated with stale, non-zero data. Finally, a minimal deposit of just 16 wei was executed, which triggered the contract’s “first-ever deposit” logic, causing it to incorrectly read the large, stale values and mint a near-infinite number of yETH tokens to the attacker.

A metallic, cubic device with transparent blue accents and a white spherical component is partially submerged in a reflective, rippled liquid, while a vibrant blue, textured, frosty substance envelops one side. The object appears to be a sophisticated hardware wallet, designed for ultimate digital asset custody through advanced cold storage mechanisms

Parameters

  • Total Loss → $9 Million USD (The estimated total value of underlying assets drained from the yETH pool).
  • Vulnerability Type → Cached Storage Flaw (A logic error where internal accounting variables were not reset upon a critical state change).
  • Minted Token Quantity → 235 Septillion yETH (The astronomical number of tokens minted by the attacker due to the logic flaw).
  • Trigger Cost → 16 Wei Deposit (The minimal amount of input required to trigger the infinite minting condition).
  • Affected Protocol Component → Custom yETH Stableswap Contract (The specific, non-standard contract implementation containing the flaw).

A transparent, elongated crystalline object, resembling a hardware wallet, is shown interacting with a large, irregular mass of deep blue, translucent material. Portions of this blue mass are covered in delicate, spiky white frost, creating a striking contrast against the vibrant blue

Outlook

Immediate mitigation for similar protocols requires an urgent audit of all custom contract logic, specifically focusing on explicit state management for edge cases like zero-supply conditions and gas-saving accounting mechanisms. The primary second-order effect is a heightened contagion risk for any protocol that has forked or adapted similar stableswap code without rigorous state transition testing. This event will establish a new security best practice mandating formal verification for all internal accounting logic to ensure that cached or virtual balances are synchronized with the actual, on-chain token supply at every critical juncture.

The exploit confirms that even marginal gas optimizations introduce catastrophic systemic risk when they violate the fundamental principle of explicit and validated state transitions.

Stale storage value, infinite token minting, DeFi accounting error, virtual balance flaw, stableswap logic, gas optimization risk, zero supply condition, critical vulnerability, on-chain forensics, state transition bug, smart contract exploit, flash loan vector, Ethereum protocol risk, token price manipulation, pool drain event, custom contract code, asset loss, internal accounting, deposit logic, minimal input Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

cached storage variables

Definition ∞ Cached storage variables refer to data elements temporarily held in a faster access memory layer, rather than directly retrieved from the primary, slower blockchain storage.

state transitions

Definition ∞ State transitions describe changes in the condition or data of a system over time, typically triggered by an action.

token supply

Definition ∞ Token Supply refers to the total quantity of a specific cryptocurrency or digital asset in existence at any given time.

yeth pool

Definition ∞ A yETH Pool refers to a specific liquidity pool within the Yearn Finance ecosystem, typically designed to optimize yield for wrapped Ethereum (wETH) or other ETH-derived assets.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

tokens

Definition ∞ Tokens are digital units of value or utility that are issued on a blockchain and represent an asset, a right, or access to a service.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

state management

Definition ∞ State management refers to the process of controlling and organizing the dynamic data or conditions of a system or application.

Tags:

Tags: