Security

Yearn Legacy Pool Drained Exploiting Stale Storage Value Arithmetic Flaw

A critical logic flaw in gas-saving state caching allowed an attacker to mint infinite tokens, demonstrating the systemic risk of legacy contract arithmetic.
December 2, 20253 min

The image displays several blue and clear crystalline forms and rough blue rocks, arranged on a textured white surface resembling snow, with a white fabric draped over one rock. A reflective foreground mirrors the scene, set against a soft blue background
The image presents a striking close-up of a crumpled, translucent object filled with a vibrant blue liquid, adorned with numerous white bubbles. A distinct metallic silver ring is integrated into the left side of the object, all set against a soft, light gray background

Briefing

The Yearn Finance legacy yETH StableSwap pool was exploited for approximately $9 million via a sophisticated token minting attack. The attack leveraged a critical flaw in the pool’s custom accounting logic, allowing the malicious actor to mint an astronomical supply of yETH tokens and drain the underlying liquid staking assets. This incident is notable because the attacker successfully minted 235 septillion yETH with a minimal 16 wei deposit, highlighting an extreme capital-efficiency vector.

The composition features a horizontal, elongated mass of sparkling blue crystalline fragments, ranging from deep indigo to bright sapphire, flanked by four smooth white spheres. Transparent, intersecting rings interconnect and encapsulate this central structure against a neutral grey background

Context

The prevailing attack surface in DeFi is increasingly shifting toward technical debt vulnerabilities within custom or legacy contracts running alongside newer, more secure versions. This incident specifically leveraged an older yETH pool, which operated on a separate code path from the protocol’s main V2 and V3 vaults. The core risk was a critical, unhandled state in the contract’s accounting introduced by gas-optimization techniques.

A robust, metallic blue and silver apparatus is partially submerged in a field of fine, sparkling granular particles. A vibrant stream of blue, particle-laden fluid traverses a transparent central channel

Analysis

The compromise targeted a Cached Storage Flaw within the pool’s internal accounting, which used packed_vbs variables to cache virtual balances for gas efficiency. The attacker first executed multiple deposit-and-withdrawal cycles using flash-loaned funds, deliberately accumulating residual, non-zero values in this storage cache. Upon the final withdrawal, the main supply counter correctly reset to zero, but the cached storage values remained populated, or “stale.” A subsequent minimal deposit of 16 wei triggered the contract’s “first-ever deposit” logic, which incorrectly read the stale, inflated cache values, allowing the attacker to mint a near-infinite token supply to drain the pool’s assets.

The image displays a detailed close-up of transparent, spherical glass-like components filled with a vibrant, bubbly blue liquid, interconnected with brushed metallic cylindrical structures. The central spherical element features an intricate internal mechanism, suggesting a sophisticated technological apparatus

Parameters

  • Total Loss Estimate → $9,000,000 – Total value of liquid staking tokens and WETH drained from the pools.
  • Exploited Token Supply → 235 Septillion yETH – The astronomical number of tokens minted from a dust deposit.
  • Initial Deposit Cost → 16 Wei – The minimal amount of capital required to trigger the exploit logic.
  • Recovered Funds → $2.4 Million – Assets successfully recovered through coordinated efforts with DeFi partners.

A translucent, effervescent blue liquid forms a dynamic, swirling structure, appearing to encapsulate or interact with a metallic component. The vivid blue liquid, adorned with white foam, represents the intricate flow of digital assets and data streams within a decentralized finance DeFi ecosystem

Outlook

Protocols must now prioritize aggressive and complete deprecation of legacy contracts, as the risk from technical debt is clearly quantifiable. Immediate mitigation for all DeFi protocols involves a systematic review of gas-optimization logic, specifically focusing on state variables that are cached and not fully reset to zero during complete liquidity withdrawals. This event reinforces the need for formal verification tools that specifically model and test for edge-case state transitions, especially those involving arithmetic after a pool has been fully drained.

A close-up view reveals a sophisticated metallic mechanism, resembling intricate gears and structural components, partially immersed within a dynamic, effervescent blue liquid. The liquid is densely populated with numerous bubbles of varying sizes, appearing to flow and interact with the polished surfaces of the machinery

Verdict

The exploit serves as a definitive case study that legacy smart contract arithmetic flaws and stale state variables represent a systemic, high-leverage attack vector against even the most established DeFi pioneers.

smart contract exploit, stale storage values, infinite minting bug, legacy contract risk, DeFi arithmetic flaw, token supply inflation, liquid staking tokens, stable swap pool, flash loan attack, on-chain forensics, protocol governance, asset recovery efforts, Ethereum mainnet, custom vault logic, unchecked calculations, state transition error, gas optimization bug, pool liquidity drain, token minting vulnerability, zero supply logic Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

technical debt

Definition ∞ Technical debt represents the deferred cost of choosing an easier, but suboptimal, solution during software development instead of applying the best possible approach.

token supply

Definition ∞ Token Supply refers to the total quantity of a specific cryptocurrency or digital asset in existence at any given time.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

supply

Definition ∞ Supply refers to the total quantity of a specific digital asset that is available in the market or has been issued.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: