Security

Yearn yETH Pool Drained via Unreset Cached Storage Logic Flaw

A failure to clear cached virtual balances after a full pool withdrawal enabled an attacker to mint infinite LP tokens, compromising $9 million in liquid staking assets .
December 6, 20253 min

A striking abstract composition features clear and blue crystalline structures, white textured formations, and smooth white and silver spheres emerging from dark blue water under a clear sky. The elements are arranged centrally, creating a sense of balance and depth
A polished, multi-layered metallic mechanism descends into a vibrant, translucent blue liquid, with blue rod-like structures extending from it. White foam actively bubbles at the liquid's surface around the metallic component, set against a soft, light gray background

Briefing

The Yearn Finance yETH Stableswap pool was compromised on November 30, 2025, via a sophisticated infinite token minting exploit, resulting in a loss of approximately $9 million in liquid staking assets. This attack leveraged a critical flaw in the pool’s custom accounting logic, specifically a failure to reset cached virtual balance variables ( packed_vbs ) after the pool’s total supply was drained to zero. The attacker successfully executed a three-stage manipulation, turning a minimal 16 wei deposit into 235 septillion LP tokens, thereby draining the entire pool’s holdings.

A close-up view reveals a metallic, hexagonal object with intricate silver and dark grey patterns, partially surrounded by a vibrant, translucent blue, organic-looking material. A cylindrical metallic component protrudes from one side of the central object

Context

The incident highlights the persistent risk associated with custom, gas-optimized smart contract implementations, particularly within the complex architecture of yield aggregators. Despite Yearn Finance’s status as a veteran protocol, the custom StableSwap code used for the yETH pool → which caches values to reduce transaction costs → introduced a non-standard attack surface that was not fully mitigated by prior audits. This pre-existing condition of code fragility in a high-value, composable asset pool was the primary vulnerability.

The image displays granular blue and white material flowing through transparent, curved channels, interacting with metallic components and a clear sphere. A mechanical claw-like structure holds a white disc, while a thin rod with a small sphere extends over the white granular substance

Analysis

The attack chain began with the attacker using flash-loaned funds to perform multiple deposit-and-withdrawal cycles, strategically accumulating non-zero residual values in the packed_vbs storage variables. Following a complete withdrawal that correctly reset the main supply counter to zero, the cached storage values remained populated with phantom balances. The final step involved a minuscule 16 wei deposit, which the contract’s “first deposit” logic misinterpreted by reading the accumulated phantom values from the cache. This miscalculation led to the minting of a near-infinite amount of LP tokens, allowing the attacker to withdraw all underlying assets from the pool.

A vibrant blue, amorphous liquid mass, with intricate swirling patterns and bright highlights, rests on a structured, dark blue platform. This visual evokes the abstract concept of liquid staking or decentralized finance DeFi protocols, where digital assets are dynamically managed and utilized within the blockchain ecosystem

Parameters

  • Total Loss → ~$9 Million (The combined value drained from the yETH Stableswap pool and the Curve pool ).
  • Attack Vector → Infinite Token Mint (Exploiting a cached storage logic flaw to mint 235 septillion LP tokens ).
  • Vulnerable Component → yETH Stableswap Pool (A custom contract logic, unrelated to Yearn V2/V3 vaults ).
  • Laundering Method → Tornado Cash (~$3 million in ETH sent to the mixer ).

The image displays a central, textured blue and white spherical object, encircled by multiple metallic rings. A smooth white sphere floats to its left, while two clear ice-like cubes rest on its upper surface

Outlook

Protocols leveraging complex, gas-optimized accounting logic must immediately review all functions that rely on cached state variables, ensuring a complete and atomic reset upon total liquidity withdrawal. The incident necessitates a new auditing standard focused on state management integrity, particularly for StableSwap forks and custom vault implementations where the first-deposit logic can be manipulated by residual storage values. For users, this reinforces the need to monitor and diversify exposure to custom, single-asset pools, even within established ecosystems.

A transparent, multi-faceted geometric structure, resembling a block or node, is depicted partially immersed in a flowing stream of liquid with numerous bubbles. The composition highlights the interaction between the precise digital architecture and the dynamic, effervescent medium

Verdict

The Yearn yETH exploit is a critical demonstration of how subtle, gas-saving optimizations in custom DeFi logic can introduce catastrophic state-manipulation vulnerabilities, proving that code-level integrity remains the ultimate security perimeter.

Smart contract vulnerability, infinite mint exploit, DeFi pool drain, liquid staking token, stableswap pool, cached storage flaw, arithmetic precision, on-chain forensic, flash loan attack, protocol accounting, Ethereum blockchain, token supply inflation, critical logic error, yield aggregator, smart contract logic, deposit logic flaw, residual value exploitation, custom vault code, asset withdrawal mechanism, state management integrity. Signal Acquired from → checkpoint.com

Micro Crypto News Feeds

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

logic flaw

Definition ∞ A logic flaw represents an error in the design or operational reasoning of a system.

contract logic

Definition ∞ Contract Logic refers to the set of predefined rules, conditions, and instructions embedded within a smart contract that govern its execution and state changes.

state management

Definition ∞ State management refers to the process of controlling and organizing the dynamic data or conditions of a system or application.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: