Yearn yETH Pool Drained via Cached Storage Arithmetic Flaw → Security

A close-up view reveals a transparent, multi-chambered mechanism containing distinct white granular material actively moving over a textured blue base. The white substance appears agitated and flowing, guided by the clear structural elements, with a circular metallic component visible within the blue substrate

A detailed view of a complex, multi-layered metallic structure featuring prominent blue translucent elements, partially obscured by swirling white, cloud-like material. A reflective silver sphere is embedded within the intricate framework, suggesting dynamic interaction and movement

Briefing

The Yearn Finance yETH stableswap pool suffered a critical exploit, resulting from a flaw in the contract’s internal accounting logic. This vulnerability allowed an attacker to manipulate the pool’s state and mint an astronomical number of tokens, completely draining the liquidity from the affected pools. The primary consequence is a $9 million loss across the yETH and yETH-WETH pools, underscoring the extreme financial risk inherent in complex, custom-built smart contract architectures. The attack was executed by depositing just 16 wei, which leveraged the flaw to trigger an infinite token minting sequence.

A dark blue, spherical digital asset is partially enveloped by a translucent, light blue, flowing material. This enveloping layer is speckled with numerous tiny white particles, creating a dynamic, abstract composition against a soft grey background

Context

The incident occurred in a custom stableswap contract, a complex design distinct from the protocol’s main V2/V3 vaults. This pre-existing security posture introduced an expanded attack surface due to the complexity of custom arithmetic and gas optimization techniques. Specifically, the contract utilized cached storage variables to store virtual balance information, a common optimization technique that, without rigorous state management, introduces a known class of vulnerability.

A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Analysis

The attacker executed the exploit by first using a flash loan to perform multiple deposit and withdrawal cycles, deliberately accumulating small residual values in the packed_vbs cached storage variables. Subsequently, all remaining liquidity was withdrawn, which correctly reset the main token supply counter to zero but critically failed to clear the accumulated phantom balances in the cached storage. A final minimal deposit of 16 wei then triggered the contract’s “first-ever deposit” logic, which incorrectly read the uncleared, inflated values from the cached storage. This logical failure allowed the attacker to mint a near-infinite token supply, which was then redeemed for all underlying assets in the pool.

The image displays a detailed, abstract composition centered on a symmetrical, metallic blue and white 'X' shaped structure. This central element is surrounded and partially integrated into a textured, white, bubbly matrix, creating a sense of depth and complex interweaving

Parameters

Total Funds Lost → $9 Million (The combined financial loss from the yETH stableswap and yETH-WETH pools.)
Attack Vector → Cached Storage Flaw (A critical arithmetic and state-management error in the custom contract logic.)
Input Trigger → 16 Wei Deposit (The minimal amount of input required to execute the final, token-minting stage of the exploit.)
Asset Laundering → Tornado Cash (The primary crypto mixer used by the attacker to obscure the flow of a portion of the stolen ETH.)

A white, rectangular, modular device with visible ports and connections extends into a vibrant, glowing blue crystalline structure, which is composed of numerous small, luminous spheres and interspersed with frosty textures. The background shows a blurred continuation of similar blue and white elements, suggesting a complex digital environment

Outlook

Immediate mitigation requires all protocols utilizing complex, custom-forked stableswap or AMM logic to conduct an urgent, explicit audit of all state-transition functions. The failure to clear cached storage variables upon a zero-supply condition establishes a new security best practice → explicit state management must be prioritized over gas optimization. The contagion risk remains low for standardized protocols, but any project relying on similar unchecked arithmetic or complex storage packing must assume an active threat.

The incident confirms that unchecked arithmetic and state-management oversights in custom smart contract forks remain the single greatest systemic risk to the DeFi ecosystem.

Token Minting Flaw, DeFi Pool Exploit, Stableswap Logic Flaw, Storage Variable Bug, Infinite Supply Attack, Arithmetic Flaw, Gas Optimization Risk, On-Chain Accounting Error, Liquidity Drain, Minimal Deposit Exploit, Ethereum Protocol Risk, State Transition Error, Unchecked Calculation Signal Acquired from → checkpoint.com