Security

Yearn yETH Pool Drained via Unreset Cached Storage Logic Flaw

A failure to clear cached virtual balances after a full pool withdrawal enabled an attacker to mint infinite LP tokens, compromising $9 million in liquid staking assets .
December 6, 20253 min

The visual depicts a vibrant, turbulent blue liquid cascading within a precisely engineered, metallic structure, hinting at the constant motion and evolution of digital assets. This abstraction captures the essence of cryptocurrency networks, where data flows akin to liquid, governed by sophisticated protocols and cryptographic principles
A close-up view shows a grey, structured container partially filled with a vibrant blue liquid, featuring numerous white bubbles and a clear, submerged circular object. The dynamic composition highlights an active process occurring within a contained system

Briefing

The Yearn Finance yETH Stableswap pool was compromised on November 30, 2025, via a sophisticated infinite token minting exploit, resulting in a loss of approximately $9 million in liquid staking assets. This attack leveraged a critical flaw in the pool’s custom accounting logic, specifically a failure to reset cached virtual balance variables ( packed_vbs ) after the pool’s total supply was drained to zero. The attacker successfully executed a three-stage manipulation, turning a minimal 16 wei deposit into 235 septillion LP tokens, thereby draining the entire pool’s holdings.

A vibrant blue crystalline formation covered in white frost stands beside a clear rectangular glass panel, which in turn rests near a smooth white sphere, all nestled in a landscape of pristine white snow dunes. This visual narrative abstracts the complex mechanisms of a blockchain architecture

Context

The incident highlights the persistent risk associated with custom, gas-optimized smart contract implementations, particularly within the complex architecture of yield aggregators. Despite Yearn Finance’s status as a veteran protocol, the custom StableSwap code used for the yETH pool → which caches values to reduce transaction costs → introduced a non-standard attack surface that was not fully mitigated by prior audits. This pre-existing condition of code fragility in a high-value, composable asset pool was the primary vulnerability.

A transparent, elongated crystalline object, resembling a hardware wallet, is shown interacting with a large, irregular mass of deep blue, translucent material. Portions of this blue mass are covered in delicate, spiky white frost, creating a striking contrast against the vibrant blue

Analysis

The attack chain began with the attacker using flash-loaned funds to perform multiple deposit-and-withdrawal cycles, strategically accumulating non-zero residual values in the packed_vbs storage variables. Following a complete withdrawal that correctly reset the main supply counter to zero, the cached storage values remained populated with phantom balances. The final step involved a minuscule 16 wei deposit, which the contract’s “first deposit” logic misinterpreted by reading the accumulated phantom values from the cache. This miscalculation led to the minting of a near-infinite amount of LP tokens, allowing the attacker to withdraw all underlying assets from the pool.

A detailed close-up reveals a high-tech, silver and black electronic device with translucent blue internal components, partially submerged in a clear, flowing, icy-blue liquid or gel, which exhibits fine textures and light reflections. The device features a small digital display showing the number '18' alongside a circular icon, emphasizing its operational status

Parameters

  • Total Loss → ~$9 Million (The combined value drained from the yETH Stableswap pool and the Curve pool ).
  • Attack Vector → Infinite Token Mint (Exploiting a cached storage logic flaw to mint 235 septillion LP tokens ).
  • Vulnerable Component → yETH Stableswap Pool (A custom contract logic, unrelated to Yearn V2/V3 vaults ).
  • Laundering Method → Tornado Cash (~$3 million in ETH sent to the mixer ).

A vibrant blue, translucent liquid forms a dynamic, upward-spiraling column, emanating from a polished metallic apparatus. The apparatus's dark surface is illuminated by glowing blue lines resembling complex circuit pathways, suggesting advanced technological integration and a futuristic design aesthetic

Outlook

Protocols leveraging complex, gas-optimized accounting logic must immediately review all functions that rely on cached state variables, ensuring a complete and atomic reset upon total liquidity withdrawal. The incident necessitates a new auditing standard focused on state management integrity, particularly for StableSwap forks and custom vault implementations where the first-deposit logic can be manipulated by residual storage values. For users, this reinforces the need to monitor and diversify exposure to custom, single-asset pools, even within established ecosystems.

A striking abstract composition features a luminous, translucent blue mass, appearing fluid and organic, intricately contained within a complex web of silver-grey metallic wires. The background is a soft, neutral grey, highlighting the central object's vibrant blue and metallic sheen

Verdict

The Yearn yETH exploit is a critical demonstration of how subtle, gas-saving optimizations in custom DeFi logic can introduce catastrophic state-manipulation vulnerabilities, proving that code-level integrity remains the ultimate security perimeter.

Smart contract vulnerability, infinite mint exploit, DeFi pool drain, liquid staking token, stableswap pool, cached storage flaw, arithmetic precision, on-chain forensic, flash loan attack, protocol accounting, Ethereum blockchain, token supply inflation, critical logic error, yield aggregator, smart contract logic, deposit logic flaw, residual value exploitation, custom vault code, asset withdrawal mechanism, state management integrity. Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

logic flaw

Definition ∞ A logic flaw represents an error in the design or operational reasoning of a system.

contract logic

Definition ∞ Contract Logic refers to the set of predefined rules, conditions, and instructions embedded within a smart contract that govern its execution and state changes.

state management

Definition ∞ State management refers to the process of controlling and organizing the dynamic data or conditions of a system or application.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: