Security

Yearn yETH Pool Drained via Cached Storage Arithmetic Flaw

An uncleared internal storage variable enabled a minimal deposit to mint infinite tokens, exposing a critical risk in complex stableswap logic.
December 4, 20253 min

A translucent, frosted component with an intricate blue internal structure is prominently displayed on a white, grid-patterned surface. The object's unique form factor and textured exterior are clearly visible, resting against the regular pattern of the underlying grid, which features evenly spaced rectangular apertures
A futuristic, multi-segmented white sphere is shown partially open, revealing a dense cluster of glowing blue, translucent cubic forms within its core. These internal cubes feature intricate white line patterns and symbols, suggesting complex data structures

Briefing

The Yearn Finance yETH stableswap pool suffered a critical exploit, resulting from a flaw in the contract’s internal accounting logic. This vulnerability allowed an attacker to manipulate the pool’s state and mint an astronomical number of tokens, completely draining the liquidity from the affected pools. The primary consequence is a $9 million loss across the yETH and yETH-WETH pools, underscoring the extreme financial risk inherent in complex, custom-built smart contract architectures. The attack was executed by depositing just 16 wei, which leveraged the flaw to trigger an infinite token minting sequence.

A prominent textured sphere, resembling a moon, is securely nestled within a sophisticated metallic blue and silver geometric structure. This intricate assembly is partially covered with white frosty particles, creating a visual metaphor for robust digital asset security

Context

The incident occurred in a custom stableswap contract, a complex design distinct from the protocol’s main V2/V3 vaults. This pre-existing security posture introduced an expanded attack surface due to the complexity of custom arithmetic and gas optimization techniques. Specifically, the contract utilized cached storage variables to store virtual balance information, a common optimization technique that, without rigorous state management, introduces a known class of vulnerability.

A highly detailed close-up reveals a sleek, metallic blue and silver mechanical device, featuring a prominent lens-like component and intricate internal structures. White, frothy foam actively surrounds and interacts with the central mechanism, suggesting a dynamic operational process within the unit

Analysis

The attacker executed the exploit by first using a flash loan to perform multiple deposit and withdrawal cycles, deliberately accumulating small residual values in the packed_vbs cached storage variables. Subsequently, all remaining liquidity was withdrawn, which correctly reset the main token supply counter to zero but critically failed to clear the accumulated phantom balances in the cached storage. A final minimal deposit of 16 wei then triggered the contract’s “first-ever deposit” logic, which incorrectly read the uncleared, inflated values from the cached storage. This logical failure allowed the attacker to mint a near-infinite token supply, which was then redeemed for all underlying assets in the pool.

This detailed perspective captures a sleek, modular device displaying exposed internal engineering. The central light blue unit features a dark, reflective display surface, flanked by dark gray and black structural elements that reveal complex blue and silver mechanical components, including visible gears and piston-like structures

Parameters

  • Total Funds Lost → $9 Million (The combined financial loss from the yETH stableswap and yETH-WETH pools.)
  • Attack Vector → Cached Storage Flaw (A critical arithmetic and state-management error in the custom contract logic.)
  • Input Trigger → 16 Wei Deposit (The minimal amount of input required to execute the final, token-minting stage of the exploit.)
  • Asset Laundering → Tornado Cash (The primary crypto mixer used by the attacker to obscure the flow of a portion of the stolen ETH.)

The image displays a complex, futuristic apparatus featuring transparent blue and metallic silver components. White, cloud-like vapor and a spherical moon-like object are integrated within the intricate structure, alongside crystalline blue elements

Outlook

Immediate mitigation requires all protocols utilizing complex, custom-forked stableswap or AMM logic to conduct an urgent, explicit audit of all state-transition functions. The failure to clear cached storage variables upon a zero-supply condition establishes a new security best practice → explicit state management must be prioritized over gas optimization. The contagion risk remains low for standardized protocols, but any project relying on similar unchecked arithmetic or complex storage packing must assume an active threat.

The incident confirms that unchecked arithmetic and state-management oversights in custom smart contract forks remain the single greatest systemic risk to the DeFi ecosystem.

Token Minting Flaw, DeFi Pool Exploit, Stableswap Logic Flaw, Storage Variable Bug, Infinite Supply Attack, Arithmetic Flaw, Gas Optimization Risk, On-Chain Accounting Error, Liquidity Drain, Minimal Deposit Exploit, Ethereum Protocol Risk, State Transition Error, Unchecked Calculation Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

cached storage variables

Definition ∞ Cached storage variables refer to data elements temporarily held in a faster access memory layer, rather than directly retrieved from the primary, slower blockchain storage.

token supply

Definition ∞ Token Supply refers to the total quantity of a specific cryptocurrency or digital asset in existence at any given time.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

gas optimization

Definition ∞ Gas optimization refers to the practice of minimizing the computational resources, or "gas," required to execute transactions and smart contracts on a blockchain.

Tags:

Tags: