Briefing

The Yearn Finance yETH stableswap pool suffered a critical exploit, resulting from a flaw in the contract’s internal accounting logic. This vulnerability allowed an attacker to manipulate the pool’s state and mint an astronomical number of tokens, completely draining the liquidity from the affected pools. The primary consequence is a $9 million loss across the yETH and yETH-WETH pools, underscoring the extreme financial risk inherent in complex, custom-built smart contract architectures. The attack was executed by depositing just 16 wei, which leveraged the flaw to trigger an infinite token minting sequence.

A luminous, translucent blue-grey amorphous structure elegantly envelops a vibrant, solid blue sphere, set against a subtle gradient background. The flowing, organic forms create a sense of depth and protection around the central element

Context

The incident occurred in a custom stableswap contract, a complex design distinct from the protocol’s main V2/V3 vaults. This pre-existing security posture introduced an expanded attack surface due to the complexity of custom arithmetic and gas optimization techniques. Specifically, the contract utilized cached storage variables to store virtual balance information, a common optimization technique that, without rigorous state management, introduces a known class of vulnerability.

A close-up view reveals multiple translucent blue gears meshing with silver metallic components, forming an intricate mechanical assembly. The blue gears, with their faceted surfaces, suggest advanced digital processes and programmatic logic

Analysis

The attacker executed the exploit by first using a flash loan to perform multiple deposit and withdrawal cycles, deliberately accumulating small residual values in the packed_vbs cached storage variables. Subsequently, all remaining liquidity was withdrawn, which correctly reset the main token supply counter to zero but critically failed to clear the accumulated phantom balances in the cached storage. A final minimal deposit of 16 wei then triggered the contract’s “first-ever deposit” logic, which incorrectly read the uncleared, inflated values from the cached storage. This logical failure allowed the attacker to mint a near-infinite token supply, which was then redeemed for all underlying assets in the pool.

A futuristic, multi-faceted object with a textured, icy blue exterior and glowing internal components rests on a light grey surface. Its complex structure features a central hexagonal aperture, revealing metallic frameworks and vibrant blue conduits within

Parameters

  • Total Funds Lost → $9 Million (The combined financial loss from the yETH stableswap and yETH-WETH pools.)
  • Attack Vector → Cached Storage Flaw (A critical arithmetic and state-management error in the custom contract logic.)
  • Input Trigger → 16 Wei Deposit (The minimal amount of input required to execute the final, token-minting stage of the exploit.)
  • Asset Laundering → Tornado Cash (The primary crypto mixer used by the attacker to obscure the flow of a portion of the stolen ETH.)

A close-up view reveals a multi-faceted, transparent object with sharp geometric edges, encasing a smooth, amorphous blue mass within its core. The interplay of light through the clear material highlights the vibrant blue interior and the intricate structure of the outer shell

Outlook

Immediate mitigation requires all protocols utilizing complex, custom-forked stableswap or AMM logic to conduct an urgent, explicit audit of all state-transition functions. The failure to clear cached storage variables upon a zero-supply condition establishes a new security best practice → explicit state management must be prioritized over gas optimization. The contagion risk remains low for standardized protocols, but any project relying on similar unchecked arithmetic or complex storage packing must assume an active threat.

The incident confirms that unchecked arithmetic and state-management oversights in custom smart contract forks remain the single greatest systemic risk to the DeFi ecosystem.

Token Minting Flaw, DeFi Pool Exploit, Stableswap Logic Flaw, Storage Variable Bug, Infinite Supply Attack, Arithmetic Flaw, Gas Optimization Risk, On-Chain Accounting Error, Liquidity Drain, Minimal Deposit Exploit, Ethereum Protocol Risk, State Transition Error, Unchecked Calculation Signal Acquired from → checkpoint.com

Micro Crypto News Feeds