Security

Yearn yETH Pool Drained via Cached Storage Arithmetic Flaw

An uncleared internal storage variable enabled a minimal deposit to mint infinite tokens, exposing a critical risk in complex stableswap logic.
December 4, 20253 min

A futuristic, ice-covered device with glowing blue internal mechanisms is prominently displayed, featuring a large, moon-like sphere at its core. The intricate structure is partially obscured by frost, highlighting both its advanced technology and its cold, secure nature
A translucent, frosted component with an intricate blue internal structure is prominently displayed on a white, grid-patterned surface. The object's unique form factor and textured exterior are clearly visible, resting against the regular pattern of the underlying grid, which features evenly spaced rectangular apertures

Briefing

The Yearn Finance yETH stableswap pool suffered a critical exploit, resulting from a flaw in the contract’s internal accounting logic. This vulnerability allowed an attacker to manipulate the pool’s state and mint an astronomical number of tokens, completely draining the liquidity from the affected pools. The primary consequence is a $9 million loss across the yETH and yETH-WETH pools, underscoring the extreme financial risk inherent in complex, custom-built smart contract architectures. The attack was executed by depositing just 16 wei, which leveraged the flaw to trigger an infinite token minting sequence.

The image displays a close-up of a sleek, translucent blue object with a prominent brushed metallic band. A small, circular, luminous blue button or indicator is embedded in the center of the metallic band

Context

The incident occurred in a custom stableswap contract, a complex design distinct from the protocol’s main V2/V3 vaults. This pre-existing security posture introduced an expanded attack surface due to the complexity of custom arithmetic and gas optimization techniques. Specifically, the contract utilized cached storage variables to store virtual balance information, a common optimization technique that, without rigorous state management, introduces a known class of vulnerability.

The image displays vibrant blue, faceted crystalline structures, resembling precious gemstones, partially surrounded by soft, white, cloud-like material. These elements are contained within a translucent blue vessel, with additional white material spilling over its edges

Analysis

The attacker executed the exploit by first using a flash loan to perform multiple deposit and withdrawal cycles, deliberately accumulating small residual values in the packed_vbs cached storage variables. Subsequently, all remaining liquidity was withdrawn, which correctly reset the main token supply counter to zero but critically failed to clear the accumulated phantom balances in the cached storage. A final minimal deposit of 16 wei then triggered the contract’s “first-ever deposit” logic, which incorrectly read the uncleared, inflated values from the cached storage. This logical failure allowed the attacker to mint a near-infinite token supply, which was then redeemed for all underlying assets in the pool.

The image displays a high-fidelity rendering of a transparent device, revealing complex internal blue components and a prominent brushed metal surface. The device's outer shell is clear, showcasing the intricate design of its inner workings

Parameters

  • Total Funds Lost → $9 Million (The combined financial loss from the yETH stableswap and yETH-WETH pools.)
  • Attack Vector → Cached Storage Flaw (A critical arithmetic and state-management error in the custom contract logic.)
  • Input Trigger → 16 Wei Deposit (The minimal amount of input required to execute the final, token-minting stage of the exploit.)
  • Asset Laundering → Tornado Cash (The primary crypto mixer used by the attacker to obscure the flow of a portion of the stolen ETH.)

A meticulously engineered device showcases an exposed internal mechanism with intricate metallic gears, plates, and springs, set against a clean white background. Bright blue interwoven strands encase the core, providing a striking visual contrast to the polished silver and vibrant blue internal components

Outlook

Immediate mitigation requires all protocols utilizing complex, custom-forked stableswap or AMM logic to conduct an urgent, explicit audit of all state-transition functions. The failure to clear cached storage variables upon a zero-supply condition establishes a new security best practice → explicit state management must be prioritized over gas optimization. The contagion risk remains low for standardized protocols, but any project relying on similar unchecked arithmetic or complex storage packing must assume an active threat.

The incident confirms that unchecked arithmetic and state-management oversights in custom smart contract forks remain the single greatest systemic risk to the DeFi ecosystem.

Token Minting Flaw, DeFi Pool Exploit, Stableswap Logic Flaw, Storage Variable Bug, Infinite Supply Attack, Arithmetic Flaw, Gas Optimization Risk, On-Chain Accounting Error, Liquidity Drain, Minimal Deposit Exploit, Ethereum Protocol Risk, State Transition Error, Unchecked Calculation Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

cached storage variables

Definition ∞ Cached storage variables refer to data elements temporarily held in a faster access memory layer, rather than directly retrieved from the primary, slower blockchain storage.

token supply

Definition ∞ Token Supply refers to the total quantity of a specific cryptocurrency or digital asset in existence at any given time.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

gas optimization

Definition ∞ Gas optimization refers to the practice of minimizing the computational resources, or "gas," required to execute transactions and smart contracts on a blockchain.

Tags:

Tags: