Security

Yearn Legacy Pool Drained Exploiting Stale Storage Value Arithmetic Flaw

A critical logic flaw in gas-saving state caching allowed an attacker to mint infinite tokens, demonstrating the systemic risk of legacy contract arithmetic.
December 2, 20253 min

The image displays vibrant blue, faceted crystalline structures, resembling precious gemstones, partially surrounded by soft, white, cloud-like material. These elements are contained within a translucent blue vessel, with additional white material spilling over its edges
A clear, geometric crystal, possibly representing a digital asset or token, is intricately positioned within a vibrant, glowing blue circuit board. This visual metaphor explores the foundational elements of cryptocurrency and blockchain technology

Briefing

The Yearn Finance legacy yETH StableSwap pool was exploited for approximately $9 million via a sophisticated token minting attack. The attack leveraged a critical flaw in the pool’s custom accounting logic, allowing the malicious actor to mint an astronomical supply of yETH tokens and drain the underlying liquid staking assets. This incident is notable because the attacker successfully minted 235 septillion yETH with a minimal 16 wei deposit, highlighting an extreme capital-efficiency vector.

A large, deep blue, translucent faceted object, resembling a gemstone, is depicted resting at an angle on a reflective, rippled surface. White, textured, cloud-like formations are positioned around and partially on top of the blue object, with one larger mass on the right and smaller ones on the left

Context

The prevailing attack surface in DeFi is increasingly shifting toward technical debt vulnerabilities within custom or legacy contracts running alongside newer, more secure versions. This incident specifically leveraged an older yETH pool, which operated on a separate code path from the protocol’s main V2 and V3 vaults. The core risk was a critical, unhandled state in the contract’s accounting introduced by gas-optimization techniques.

A close-up view reveals a metallic, hexagonal object with intricate silver and dark grey patterns, partially surrounded by a vibrant, translucent blue, organic-looking material. A cylindrical metallic component protrudes from one side of the central object

Analysis

The compromise targeted a Cached Storage Flaw within the pool’s internal accounting, which used packed_vbs variables to cache virtual balances for gas efficiency. The attacker first executed multiple deposit-and-withdrawal cycles using flash-loaned funds, deliberately accumulating residual, non-zero values in this storage cache. Upon the final withdrawal, the main supply counter correctly reset to zero, but the cached storage values remained populated, or “stale.” A subsequent minimal deposit of 16 wei triggered the contract’s “first-ever deposit” logic, which incorrectly read the stale, inflated cache values, allowing the attacker to mint a near-infinite token supply to drain the pool’s assets.

A futuristic, segmented white sphere is partially submerged in dark, reflective water, with vibrant blue, crystalline formations emerging from its central opening. These icy structures spill into the water, forming a distinct mass on the surface

Parameters

  • Total Loss Estimate → $9,000,000 – Total value of liquid staking tokens and WETH drained from the pools.
  • Exploited Token Supply → 235 Septillion yETH – The astronomical number of tokens minted from a dust deposit.
  • Initial Deposit Cost → 16 Wei – The minimal amount of capital required to trigger the exploit logic.
  • Recovered Funds → $2.4 Million – Assets successfully recovered through coordinated efforts with DeFi partners.

The detailed composition showcases a technological device partially encased in a textured, crystalline material, featuring glowing blue lines connecting various dark, metallic circuit elements. A prominent silver cylindrical component extends from the right side, integrated into the complex structure

Outlook

Protocols must now prioritize aggressive and complete deprecation of legacy contracts, as the risk from technical debt is clearly quantifiable. Immediate mitigation for all DeFi protocols involves a systematic review of gas-optimization logic, specifically focusing on state variables that are cached and not fully reset to zero during complete liquidity withdrawals. This event reinforces the need for formal verification tools that specifically model and test for edge-case state transitions, especially those involving arithmetic after a pool has been fully drained.

Intricate silver and deep blue metallic components are shown being thoroughly cleaned by a frothy, bubbly liquid, with a precise blue stream actively flowing into the mechanism. This close-up highlights the detailed interaction of elements within a complex system

Verdict

The exploit serves as a definitive case study that legacy smart contract arithmetic flaws and stale state variables represent a systemic, high-leverage attack vector against even the most established DeFi pioneers.

smart contract exploit, stale storage values, infinite minting bug, legacy contract risk, DeFi arithmetic flaw, token supply inflation, liquid staking tokens, stable swap pool, flash loan attack, on-chain forensics, protocol governance, asset recovery efforts, Ethereum mainnet, custom vault logic, unchecked calculations, state transition error, gas optimization bug, pool liquidity drain, token minting vulnerability, zero supply logic Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

technical debt

Definition ∞ Technical debt represents the deferred cost of choosing an easier, but suboptimal, solution during software development instead of applying the best possible approach.

token supply

Definition ∞ Token Supply refers to the total quantity of a specific cryptocurrency or digital asset in existence at any given time.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

supply

Definition ∞ Supply refers to the total quantity of a specific digital asset that is available in the market or has been issued.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: