Security

Yearn yETH Pool Drained via Unreset Cached Storage Logic Flaw

A failure to clear cached virtual balances after a full pool withdrawal enabled an attacker to mint infinite LP tokens, compromising $9 million in liquid staking assets .
December 6, 20253 min

A large, faceted blue crystalline structure, reminiscent of a massive immutable ledger shard, forms the central focus, with a luminous full moon embedded within its depths. White snow or frost accents the crystal's contours, suggesting cold storage for digital assets
A luminous, multifaceted crystal, glowing with blue light, is nestled within a dark, textured structure, partially covered by a white, granular substance. The central clear crystal represents a high-value digital asset, perhaps a core token or a non-fungible token NFT with significant utility

Briefing

The Yearn Finance yETH Stableswap pool was compromised on November 30, 2025, via a sophisticated infinite token minting exploit, resulting in a loss of approximately $9 million in liquid staking assets. This attack leveraged a critical flaw in the pool’s custom accounting logic, specifically a failure to reset cached virtual balance variables ( packed_vbs ) after the pool’s total supply was drained to zero. The attacker successfully executed a three-stage manipulation, turning a minimal 16 wei deposit into 235 septillion LP tokens, thereby draining the entire pool’s holdings.

Intricate metallic rings are intertwined with vibrant blue, granular structures, partially covered in a frosty white texture, with a central, textured white orb suspended within. The composition evokes a sense of complex, interconnected systems and advanced technological processes

Context

The incident highlights the persistent risk associated with custom, gas-optimized smart contract implementations, particularly within the complex architecture of yield aggregators. Despite Yearn Finance’s status as a veteran protocol, the custom StableSwap code used for the yETH pool → which caches values to reduce transaction costs → introduced a non-standard attack surface that was not fully mitigated by prior audits. This pre-existing condition of code fragility in a high-value, composable asset pool was the primary vulnerability.

The image displays a striking arrangement of white granular material, dark blue crystalline structures, and clear geometric shards set against a dark background with a reflective water surface. A substantial dark block is partially embedded in the white powder, while a vibrant cluster of blue crystals spills towards the foreground, reflecting in the water

Analysis

The attack chain began with the attacker using flash-loaned funds to perform multiple deposit-and-withdrawal cycles, strategically accumulating non-zero residual values in the packed_vbs storage variables. Following a complete withdrawal that correctly reset the main supply counter to zero, the cached storage values remained populated with phantom balances. The final step involved a minuscule 16 wei deposit, which the contract’s “first deposit” logic misinterpreted by reading the accumulated phantom values from the cache. This miscalculation led to the minting of a near-infinite amount of LP tokens, allowing the attacker to withdraw all underlying assets from the pool.

A translucent blue device with a smooth, rounded form factor is depicted against a light grey background. Two clear, rounded protrusions, possibly interactive buttons, and a dark rectangular insert are visible on its surface

Parameters

  • Total Loss → ~$9 Million (The combined value drained from the yETH Stableswap pool and the Curve pool ).
  • Attack Vector → Infinite Token Mint (Exploiting a cached storage logic flaw to mint 235 septillion LP tokens ).
  • Vulnerable Component → yETH Stableswap Pool (A custom contract logic, unrelated to Yearn V2/V3 vaults ).
  • Laundering Method → Tornado Cash (~$3 million in ETH sent to the mixer ).

A transparent, abstract car-like form, composed of clear crystalline material and vibrant blue liquid, is depicted against a subtle white and dark blue background. The structure features intricate, glowing internal patterns resembling circuit boards, partially submerged and distorted by the blue fluid

Outlook

Protocols leveraging complex, gas-optimized accounting logic must immediately review all functions that rely on cached state variables, ensuring a complete and atomic reset upon total liquidity withdrawal. The incident necessitates a new auditing standard focused on state management integrity, particularly for StableSwap forks and custom vault implementations where the first-deposit logic can be manipulated by residual storage values. For users, this reinforces the need to monitor and diversify exposure to custom, single-asset pools, even within established ecosystems.

A striking abstract composition features clear and blue crystalline structures, white textured formations, and smooth white and silver spheres emerging from dark blue water under a clear sky. The elements are arranged centrally, creating a sense of balance and depth

Verdict

The Yearn yETH exploit is a critical demonstration of how subtle, gas-saving optimizations in custom DeFi logic can introduce catastrophic state-manipulation vulnerabilities, proving that code-level integrity remains the ultimate security perimeter.

Smart contract vulnerability, infinite mint exploit, DeFi pool drain, liquid staking token, stableswap pool, cached storage flaw, arithmetic precision, on-chain forensic, flash loan attack, protocol accounting, Ethereum blockchain, token supply inflation, critical logic error, yield aggregator, smart contract logic, deposit logic flaw, residual value exploitation, custom vault code, asset withdrawal mechanism, state management integrity. Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

logic flaw

Definition ∞ A logic flaw represents an error in the design or operational reasoning of a system.

contract logic

Definition ∞ Contract Logic refers to the set of predefined rules, conditions, and instructions embedded within a smart contract that govern its execution and state changes.

state management

Definition ∞ State management refers to the process of controlling and organizing the dynamic data or conditions of a system or application.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: