Security

Yearn yETH Pool Drained via Unreset Cached Storage Logic Flaw

A failure to clear cached virtual balances after a full pool withdrawal enabled an attacker to mint infinite LP tokens, compromising $9 million in liquid staking assets .
December 6, 20253 min

The image displays a close-up of a high-tech hardware assembly, featuring intricately shaped, translucent blue liquid cooling conduits flowing over metallic components. Clear tubing and wiring connect various modules on a polished, silver-grey chassis, revealing a complex internal architecture
A futuristic, deer-like head, constructed from clear blue material with intricate internal components, is partially covered in white, fluffy, snow-like texture. A branched, white antler extends from the head, and a reflective silver sphere floats nearby against a dark background

Briefing

The Yearn Finance yETH Stableswap pool was compromised on November 30, 2025, via a sophisticated infinite token minting exploit, resulting in a loss of approximately $9 million in liquid staking assets. This attack leveraged a critical flaw in the pool’s custom accounting logic, specifically a failure to reset cached virtual balance variables ( packed_vbs ) after the pool’s total supply was drained to zero. The attacker successfully executed a three-stage manipulation, turning a minimal 16 wei deposit into 235 septillion LP tokens, thereby draining the entire pool’s holdings.

Several faceted crystals, one clear and partially covered in white snow, and others deep blue and highly reflective, are embedded in a snowy landscape. The clear crystal in the foreground is elongated, while the blue crystals behind it are larger and more obscured by the white powder

Context

The incident highlights the persistent risk associated with custom, gas-optimized smart contract implementations, particularly within the complex architecture of yield aggregators. Despite Yearn Finance’s status as a veteran protocol, the custom StableSwap code used for the yETH pool → which caches values to reduce transaction costs → introduced a non-standard attack surface that was not fully mitigated by prior audits. This pre-existing condition of code fragility in a high-value, composable asset pool was the primary vulnerability.

A highly detailed render showcases a central metallic cylindrical object, intricately designed with internal spokes. This core component is partially enveloped by a dynamic blue liquid-like substance and a textured white granular material, resembling frost or accumulated particles

Analysis

The attack chain began with the attacker using flash-loaned funds to perform multiple deposit-and-withdrawal cycles, strategically accumulating non-zero residual values in the packed_vbs storage variables. Following a complete withdrawal that correctly reset the main supply counter to zero, the cached storage values remained populated with phantom balances. The final step involved a minuscule 16 wei deposit, which the contract’s “first deposit” logic misinterpreted by reading the accumulated phantom values from the cache. This miscalculation led to the minting of a near-infinite amount of LP tokens, allowing the attacker to withdraw all underlying assets from the pool.

A metallic sphere with intricate blue and silver components expels a cascading stream of bright blue liquid. This abstract representation visualizes the complex yet fluid nature of blockchain operations and the broader cryptocurrency landscape

Parameters

  • Total Loss → ~$9 Million (The combined value drained from the yETH Stableswap pool and the Curve pool ).
  • Attack Vector → Infinite Token Mint (Exploiting a cached storage logic flaw to mint 235 septillion LP tokens ).
  • Vulnerable Component → yETH Stableswap Pool (A custom contract logic, unrelated to Yearn V2/V3 vaults ).
  • Laundering Method → Tornado Cash (~$3 million in ETH sent to the mixer ).

A polished, multi-layered metallic mechanism descends into a vibrant, translucent blue liquid, with blue rod-like structures extending from it. White foam actively bubbles at the liquid's surface around the metallic component, set against a soft, light gray background

Outlook

Protocols leveraging complex, gas-optimized accounting logic must immediately review all functions that rely on cached state variables, ensuring a complete and atomic reset upon total liquidity withdrawal. The incident necessitates a new auditing standard focused on state management integrity, particularly for StableSwap forks and custom vault implementations where the first-deposit logic can be manipulated by residual storage values. For users, this reinforces the need to monitor and diversify exposure to custom, single-asset pools, even within established ecosystems.

A futuristic, rectangular device with rounded corners is prominently displayed, featuring a translucent blue top section that appears frosted or icy. A clear, domed element on top encapsulates a blue liquid or gel with a small bubble, set against a dark grey/black base

Verdict

The Yearn yETH exploit is a critical demonstration of how subtle, gas-saving optimizations in custom DeFi logic can introduce catastrophic state-manipulation vulnerabilities, proving that code-level integrity remains the ultimate security perimeter.

Smart contract vulnerability, infinite mint exploit, DeFi pool drain, liquid staking token, stableswap pool, cached storage flaw, arithmetic precision, on-chain forensic, flash loan attack, protocol accounting, Ethereum blockchain, token supply inflation, critical logic error, yield aggregator, smart contract logic, deposit logic flaw, residual value exploitation, custom vault code, asset withdrawal mechanism, state management integrity. Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

logic flaw

Definition ∞ A logic flaw represents an error in the design or operational reasoning of a system.

contract logic

Definition ∞ Contract Logic refers to the set of predefined rules, conditions, and instructions embedded within a smart contract that govern its execution and state changes.

state management

Definition ∞ State management refers to the process of controlling and organizing the dynamic data or conditions of a system or application.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: