Security

Yearn yETH Pool Drained via Unreset Cached Storage Logic Flaw

A failure to clear cached virtual balances after a full pool withdrawal enabled an attacker to mint infinite LP tokens, compromising $9 million in liquid staking assets .
December 6, 20253 min

A close-up reveals a futuristic apparatus composed of translucent blue chambers filled with bubbling liquid, integrated with polished silver-grey mechanical structures. Hexagonal internal frameworks are visible within the clear liquid, creating a dynamic and complex visual representation of advanced engineering
A detailed close-up reveals a sleek, futuristic device featuring polished silver-toned metallic components and a vibrant, translucent blue liquid chamber. White, frothy foam overflows from the top and sides of the blue liquid, which is visibly agitated with numerous small bubbles, suggesting a dynamic process

Briefing

The Yearn Finance yETH Stableswap pool was compromised on November 30, 2025, via a sophisticated infinite token minting exploit, resulting in a loss of approximately $9 million in liquid staking assets. This attack leveraged a critical flaw in the pool’s custom accounting logic, specifically a failure to reset cached virtual balance variables ( packed_vbs ) after the pool’s total supply was drained to zero. The attacker successfully executed a three-stage manipulation, turning a minimal 16 wei deposit into 235 septillion LP tokens, thereby draining the entire pool’s holdings.

A sleek, metallic structure, possibly a hardware wallet or node component, features two embedded circular modules depicting a cratered lunar surface in cool blue tones. The background is a blurred, deep blue, suggesting a cosmic environment with subtle, bright specks

Context

The incident highlights the persistent risk associated with custom, gas-optimized smart contract implementations, particularly within the complex architecture of yield aggregators. Despite Yearn Finance’s status as a veteran protocol, the custom StableSwap code used for the yETH pool → which caches values to reduce transaction costs → introduced a non-standard attack surface that was not fully mitigated by prior audits. This pre-existing condition of code fragility in a high-value, composable asset pool was the primary vulnerability.

The image displays granular blue and white material flowing through transparent, curved channels, interacting with metallic components and a clear sphere. A mechanical claw-like structure holds a white disc, while a thin rod with a small sphere extends over the white granular substance

Analysis

The attack chain began with the attacker using flash-loaned funds to perform multiple deposit-and-withdrawal cycles, strategically accumulating non-zero residual values in the packed_vbs storage variables. Following a complete withdrawal that correctly reset the main supply counter to zero, the cached storage values remained populated with phantom balances. The final step involved a minuscule 16 wei deposit, which the contract’s “first deposit” logic misinterpreted by reading the accumulated phantom values from the cache. This miscalculation led to the minting of a near-infinite amount of LP tokens, allowing the attacker to withdraw all underlying assets from the pool.

The image showcases a high-tech device, featuring a prominent, faceted blue gem-like component embedded within a brushed metallic and transparent casing. A slender metallic rod runs alongside, emphasizing precision engineering and sleek design

Parameters

  • Total Loss → ~$9 Million (The combined value drained from the yETH Stableswap pool and the Curve pool ).
  • Attack Vector → Infinite Token Mint (Exploiting a cached storage logic flaw to mint 235 septillion LP tokens ).
  • Vulnerable Component → yETH Stableswap Pool (A custom contract logic, unrelated to Yearn V2/V3 vaults ).
  • Laundering Method → Tornado Cash (~$3 million in ETH sent to the mixer ).

A prominent textured sphere, resembling a moon, is securely nestled within a sophisticated metallic blue and silver geometric structure. This intricate assembly is partially covered with white frosty particles, creating a visual metaphor for robust digital asset security

Outlook

Protocols leveraging complex, gas-optimized accounting logic must immediately review all functions that rely on cached state variables, ensuring a complete and atomic reset upon total liquidity withdrawal. The incident necessitates a new auditing standard focused on state management integrity, particularly for StableSwap forks and custom vault implementations where the first-deposit logic can be manipulated by residual storage values. For users, this reinforces the need to monitor and diversify exposure to custom, single-asset pools, even within established ecosystems.

A modern, metallic, camera-like device is shown at an angle, nestled within a vibrant, translucent blue, irregularly shaped substance, with white foam covering parts of both. The background is a smooth, light gray, creating a minimalist setting for the central elements

Verdict

The Yearn yETH exploit is a critical demonstration of how subtle, gas-saving optimizations in custom DeFi logic can introduce catastrophic state-manipulation vulnerabilities, proving that code-level integrity remains the ultimate security perimeter.

Smart contract vulnerability, infinite mint exploit, DeFi pool drain, liquid staking token, stableswap pool, cached storage flaw, arithmetic precision, on-chain forensic, flash loan attack, protocol accounting, Ethereum blockchain, token supply inflation, critical logic error, yield aggregator, smart contract logic, deposit logic flaw, residual value exploitation, custom vault code, asset withdrawal mechanism, state management integrity. Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

logic flaw

Definition ∞ A logic flaw represents an error in the design or operational reasoning of a system.

contract logic

Definition ∞ Contract Logic refers to the set of predefined rules, conditions, and instructions embedded within a smart contract that govern its execution and state changes.

state management

Definition ∞ State management refers to the process of controlling and organizing the dynamic data or conditions of a system or application.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: