Security

Yearn Legacy Pool Drained Exploiting Stale Storage Value Arithmetic Flaw

A critical logic flaw in gas-saving state caching allowed an attacker to mint infinite tokens, demonstrating the systemic risk of legacy contract arithmetic.
December 2, 20253 min

Intricate silver and deep blue metallic components are shown being thoroughly cleaned by a frothy, bubbly liquid, with a precise blue stream actively flowing into the mechanism. This close-up highlights the detailed interaction of elements within a complex system
The image displays a complex, angular structure composed of transparent blue modules and silver-white metallic frames. Fluffy, snow-like material adheres to and partially covers various sections of the blue components

Briefing

The Yearn Finance legacy yETH StableSwap pool was exploited for approximately $9 million via a sophisticated token minting attack. The attack leveraged a critical flaw in the pool’s custom accounting logic, allowing the malicious actor to mint an astronomical supply of yETH tokens and drain the underlying liquid staking assets. This incident is notable because the attacker successfully minted 235 septillion yETH with a minimal 16 wei deposit, highlighting an extreme capital-efficiency vector.

A close-up view reveals a transparent, multi-chambered mechanism containing distinct white granular material actively moving over a textured blue base. The white substance appears agitated and flowing, guided by the clear structural elements, with a circular metallic component visible within the blue substrate

Context

The prevailing attack surface in DeFi is increasingly shifting toward technical debt vulnerabilities within custom or legacy contracts running alongside newer, more secure versions. This incident specifically leveraged an older yETH pool, which operated on a separate code path from the protocol’s main V2 and V3 vaults. The core risk was a critical, unhandled state in the contract’s accounting introduced by gas-optimization techniques.

A sleek, light-colored, undulating form with a prominent central circular opening is surrounded by a dynamic field of luminous blue and white particles. The foreground and background are softly blurred, drawing focus to the intricate interaction

Analysis

The compromise targeted a Cached Storage Flaw within the pool’s internal accounting, which used packed_vbs variables to cache virtual balances for gas efficiency. The attacker first executed multiple deposit-and-withdrawal cycles using flash-loaned funds, deliberately accumulating residual, non-zero values in this storage cache. Upon the final withdrawal, the main supply counter correctly reset to zero, but the cached storage values remained populated, or “stale.” A subsequent minimal deposit of 16 wei triggered the contract’s “first-ever deposit” logic, which incorrectly read the stale, inflated cache values, allowing the attacker to mint a near-infinite token supply to drain the pool’s assets.

A granular white substance connects to a granular blue substance via multiple parallel metallic conduits, terminating in embedded rectangular components. This visual metaphorically represents a cross-chain bridge facilitating blockchain interoperability between distinct decentralized network segments

Parameters

  • Total Loss Estimate → $9,000,000 – Total value of liquid staking tokens and WETH drained from the pools.
  • Exploited Token Supply → 235 Septillion yETH – The astronomical number of tokens minted from a dust deposit.
  • Initial Deposit Cost → 16 Wei – The minimal amount of capital required to trigger the exploit logic.
  • Recovered Funds → $2.4 Million – Assets successfully recovered through coordinated efforts with DeFi partners.

A vibrant, faceted blue crystalline structure, appearing like a solidified, flowing substance, rests upon a brushed metallic surface. The blue entity exhibits numerous reflective facets, while the metal features fine horizontal lines and a visible screw head

Outlook

Protocols must now prioritize aggressive and complete deprecation of legacy contracts, as the risk from technical debt is clearly quantifiable. Immediate mitigation for all DeFi protocols involves a systematic review of gas-optimization logic, specifically focusing on state variables that are cached and not fully reset to zero during complete liquidity withdrawals. This event reinforces the need for formal verification tools that specifically model and test for edge-case state transitions, especially those involving arithmetic after a pool has been fully drained.

The image displays several blue and clear crystalline forms and rough blue rocks, arranged on a textured white surface resembling snow, with a white fabric draped over one rock. A reflective foreground mirrors the scene, set against a soft blue background

Verdict

The exploit serves as a definitive case study that legacy smart contract arithmetic flaws and stale state variables represent a systemic, high-leverage attack vector against even the most established DeFi pioneers.

smart contract exploit, stale storage values, infinite minting bug, legacy contract risk, DeFi arithmetic flaw, token supply inflation, liquid staking tokens, stable swap pool, flash loan attack, on-chain forensics, protocol governance, asset recovery efforts, Ethereum mainnet, custom vault logic, unchecked calculations, state transition error, gas optimization bug, pool liquidity drain, token minting vulnerability, zero supply logic Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

technical debt

Definition ∞ Technical debt represents the deferred cost of choosing an easier, but suboptimal, solution during software development instead of applying the best possible approach.

token supply

Definition ∞ Token Supply refers to the total quantity of a specific cryptocurrency or digital asset in existence at any given time.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

supply

Definition ∞ Supply refers to the total quantity of a specific digital asset that is available in the market or has been issued.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: