Security

Yearn yETH Pool Drained via Cached Storage Arithmetic Flaw

An uncleared internal storage variable enabled a minimal deposit to mint infinite tokens, exposing a critical risk in complex stableswap logic.
December 4, 20253 min

A clear sphere encases fragmented blue crystalline structures and a metallic element, suspended over a scattering of similar blue shards. This imagery abstractly depicts the concept of data encapsulation within a blockchain, emphasizing the secure storage and immutability of digital assets
A detailed view of a complex, multi-layered metallic structure featuring prominent blue translucent elements, partially obscured by swirling white, cloud-like material. A reflective silver sphere is embedded within the intricate framework, suggesting dynamic interaction and movement

Briefing

The Yearn Finance yETH stableswap pool suffered a critical exploit, resulting from a flaw in the contract’s internal accounting logic. This vulnerability allowed an attacker to manipulate the pool’s state and mint an astronomical number of tokens, completely draining the liquidity from the affected pools. The primary consequence is a $9 million loss across the yETH and yETH-WETH pools, underscoring the extreme financial risk inherent in complex, custom-built smart contract architectures. The attack was executed by depositing just 16 wei, which leveraged the flaw to trigger an infinite token minting sequence.

The image displays vibrant blue, faceted crystalline structures, resembling precious gemstones, partially surrounded by soft, white, cloud-like material. These elements are contained within a translucent blue vessel, with additional white material spilling over its edges

Context

The incident occurred in a custom stableswap contract, a complex design distinct from the protocol’s main V2/V3 vaults. This pre-existing security posture introduced an expanded attack surface due to the complexity of custom arithmetic and gas optimization techniques. Specifically, the contract utilized cached storage variables to store virtual balance information, a common optimization technique that, without rigorous state management, introduces a known class of vulnerability.

The image displays a detailed perspective of modular electronic connectors, featuring transparent segments revealing internal components, seamlessly joined by opaque white housing units. These interconnected modules are part of a sophisticated hardware system

Analysis

The attacker executed the exploit by first using a flash loan to perform multiple deposit and withdrawal cycles, deliberately accumulating small residual values in the packed_vbs cached storage variables. Subsequently, all remaining liquidity was withdrawn, which correctly reset the main token supply counter to zero but critically failed to clear the accumulated phantom balances in the cached storage. A final minimal deposit of 16 wei then triggered the contract’s “first-ever deposit” logic, which incorrectly read the uncleared, inflated values from the cached storage. This logical failure allowed the attacker to mint a near-infinite token supply, which was then redeemed for all underlying assets in the pool.

A close-up view presents two sophisticated, futuristic mechanical modules poised for connection, featuring transparent blue components revealing intricate internal mechanisms and glowing accents. The left unit displays a clear outer shell, exposing complex digital circuits, while the right unit, primarily opaque white, extends a translucent blue cylindrical connector towards it

Parameters

  • Total Funds Lost → $9 Million (The combined financial loss from the yETH stableswap and yETH-WETH pools.)
  • Attack Vector → Cached Storage Flaw (A critical arithmetic and state-management error in the custom contract logic.)
  • Input Trigger → 16 Wei Deposit (The minimal amount of input required to execute the final, token-minting stage of the exploit.)
  • Asset Laundering → Tornado Cash (The primary crypto mixer used by the attacker to obscure the flow of a portion of the stolen ETH.)

A luminous, ice-like sphere, resembling a miniature moon, is centrally positioned on an advanced metallic platform. Surrounding the sphere are fine, light blue crystalline particles, with darker blue concentrations near its base, while blue vapor drifts around the structure

Outlook

Immediate mitigation requires all protocols utilizing complex, custom-forked stableswap or AMM logic to conduct an urgent, explicit audit of all state-transition functions. The failure to clear cached storage variables upon a zero-supply condition establishes a new security best practice → explicit state management must be prioritized over gas optimization. The contagion risk remains low for standardized protocols, but any project relying on similar unchecked arithmetic or complex storage packing must assume an active threat.

The incident confirms that unchecked arithmetic and state-management oversights in custom smart contract forks remain the single greatest systemic risk to the DeFi ecosystem.

Token Minting Flaw, DeFi Pool Exploit, Stableswap Logic Flaw, Storage Variable Bug, Infinite Supply Attack, Arithmetic Flaw, Gas Optimization Risk, On-Chain Accounting Error, Liquidity Drain, Minimal Deposit Exploit, Ethereum Protocol Risk, State Transition Error, Unchecked Calculation Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

cached storage variables

Definition ∞ Cached storage variables refer to data elements temporarily held in a faster access memory layer, rather than directly retrieved from the primary, slower blockchain storage.

token supply

Definition ∞ Token Supply refers to the total quantity of a specific cryptocurrency or digital asset in existence at any given time.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

gas optimization

Definition ∞ Gas optimization refers to the practice of minimizing the computational resources, or "gas," required to execute transactions and smart contracts on a blockchain.

Tags:

Tags: