Security

Yearn Legacy Pool Drained Exploiting Stale Storage Value Arithmetic Flaw

A critical logic flaw in gas-saving state caching allowed an attacker to mint infinite tokens, demonstrating the systemic risk of legacy contract arithmetic.
December 2, 20253 min

The composition features a horizontal, elongated mass of sparkling blue crystalline fragments, ranging from deep indigo to bright sapphire, flanked by four smooth white spheres. Transparent, intersecting rings interconnect and encapsulate this central structure against a neutral grey background
A sleek, futuristic device, predominantly silver-toned with brilliant blue crystal accents, is depicted resting on a smooth, reflective grey surface. A circular window on its top surface offers a clear view into a complex mechanical watch movement, showcasing intricate gears and springs

Briefing

The Yearn Finance legacy yETH StableSwap pool was exploited for approximately $9 million via a sophisticated token minting attack. The attack leveraged a critical flaw in the pool’s custom accounting logic, allowing the malicious actor to mint an astronomical supply of yETH tokens and drain the underlying liquid staking assets. This incident is notable because the attacker successfully minted 235 septillion yETH with a minimal 16 wei deposit, highlighting an extreme capital-efficiency vector.

The image presents a macro perspective of a textured blue granular mass interacting with metallic, modular structures. These components are embedded within and around the substance, showcasing a complex interplay of forms and textures

Context

The prevailing attack surface in DeFi is increasingly shifting toward technical debt vulnerabilities within custom or legacy contracts running alongside newer, more secure versions. This incident specifically leveraged an older yETH pool, which operated on a separate code path from the protocol’s main V2 and V3 vaults. The core risk was a critical, unhandled state in the contract’s accounting introduced by gas-optimization techniques.

The image displays a detailed close-up of transparent, spherical glass-like components filled with a vibrant, bubbly blue liquid, interconnected with brushed metallic cylindrical structures. The central spherical element features an intricate internal mechanism, suggesting a sophisticated technological apparatus

Analysis

The compromise targeted a Cached Storage Flaw within the pool’s internal accounting, which used packed_vbs variables to cache virtual balances for gas efficiency. The attacker first executed multiple deposit-and-withdrawal cycles using flash-loaned funds, deliberately accumulating residual, non-zero values in this storage cache. Upon the final withdrawal, the main supply counter correctly reset to zero, but the cached storage values remained populated, or “stale.” A subsequent minimal deposit of 16 wei triggered the contract’s “first-ever deposit” logic, which incorrectly read the stale, inflated cache values, allowing the attacker to mint a near-infinite token supply to drain the pool’s assets.

A vibrant blue crystalline formation covered in white frost stands beside a clear rectangular glass panel, which in turn rests near a smooth white sphere, all nestled in a landscape of pristine white snow dunes. This visual narrative abstracts the complex mechanisms of a blockchain architecture

Parameters

  • Total Loss Estimate → $9,000,000 – Total value of liquid staking tokens and WETH drained from the pools.
  • Exploited Token Supply → 235 Septillion yETH – The astronomical number of tokens minted from a dust deposit.
  • Initial Deposit Cost → 16 Wei – The minimal amount of capital required to trigger the exploit logic.
  • Recovered Funds → $2.4 Million – Assets successfully recovered through coordinated efforts with DeFi partners.

The image displays a close-up of a high-tech mechanism featuring a central circular component filled with vibrant blue liquid, surrounded by numerous small, transparent spheres. This intricate hardware setup is characterized by metallic finishes, blue glowing accents, and a dark, structured base

Outlook

Protocols must now prioritize aggressive and complete deprecation of legacy contracts, as the risk from technical debt is clearly quantifiable. Immediate mitigation for all DeFi protocols involves a systematic review of gas-optimization logic, specifically focusing on state variables that are cached and not fully reset to zero during complete liquidity withdrawals. This event reinforces the need for formal verification tools that specifically model and test for edge-case state transitions, especially those involving arithmetic after a pool has been fully drained.

A sophisticated, X-shaped metallic structure, featuring luminous blue elements and intricate engineering, is nestled within a soft, light blue granular material. The object's reflective silver surfaces and dark structural components contrast with the undulating, textured environment

Verdict

The exploit serves as a definitive case study that legacy smart contract arithmetic flaws and stale state variables represent a systemic, high-leverage attack vector against even the most established DeFi pioneers.

smart contract exploit, stale storage values, infinite minting bug, legacy contract risk, DeFi arithmetic flaw, token supply inflation, liquid staking tokens, stable swap pool, flash loan attack, on-chain forensics, protocol governance, asset recovery efforts, Ethereum mainnet, custom vault logic, unchecked calculations, state transition error, gas optimization bug, pool liquidity drain, token minting vulnerability, zero supply logic Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

technical debt

Definition ∞ Technical debt represents the deferred cost of choosing an easier, but suboptimal, solution during software development instead of applying the best possible approach.

token supply

Definition ∞ Token Supply refers to the total quantity of a specific cryptocurrency or digital asset in existence at any given time.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

supply

Definition ∞ Supply refers to the total quantity of a specific digital asset that is available in the market or has been issued.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: