Exploited on November 30, 2025, Yearn Finance’s yETH liquidity pool—a composite stable-swap construct comprising various Ethereum Liquid Staking Derivatives including wstETH, rETH, and cbETH—suffered a sophisticated capital-efficient breach amounting to nearly $9 million, wherein the assailant exploited inherent architectural vulnerabilities related to desynchronized cached virtual balances and flawed minting logic, thereby enabling the creation of approximately 235 septillion yETH tokens from an insignificantly low deposit of 16 wei, while circumventing protections inherent to the broader Yearn V2 and V3 vault ecosystems, with the incident subsequently corroborated by prominent blockchain security entities such as PeckShield and Check Point Research, underscoring critical complexities and risks involved in custom stable-swap contract implementations within decentralized finance protocols. The root cause lay in a gas desync issue stemming from the stored virtual balance arrays, packed_vbs[], which utilized cached values intended to optimize transaction cost efficiency yet became desynchronized following a total liquidity withdrawal event that reset the pool’s supply counter to zero; this asynchronous state produced residual phantom balances that the first deposit logic erroneously recognized as legitimate collateral, enabling the attacker to mint yETH tokens excessively relative to their marginal input. Such vulnerabilities illustrate profound governance risk inherent in decentralized ecosystems where custom adaptations of standardized contracts, lacking robust oversight or exhaustive validation processes, introduce vectors for subtle yet catastrophic exploitation. The attacker leveraged flash loans from Balancer and Aave protocols to simulate substantial liquidity provision without upfront capital, cyclically manipulating deposits and withdrawals to escalate virtual balance discrepancies before executing the minting exploit. The breach exploited a critical flaw in cached virtual balances that were not properly reset during supply adjustments. The stolen assets, comprising nearly 1000 ETH alongside various staking derivatives, were partially laundered via Tornado Cash, a mixer service that obscures transactional provenance, thereby complicating forensic tracing and fund recovery efforts. Yearn Finance’s core vaults, governed under stringent protocol controls, remained unaffected due to the isolated deployment of this bespoke stable-swap contract variant, which functioned independently from mainstream Yearn infrastructure, thus preserving systemic integrity amid localized collateral depletion. This incident serves as a cautionary exemplar of how optimization-driven contract innovations—while advancing gas efficiency—may inadvertently heighten systemic fragility, emphasizing the imperative for heightened scrutiny within DeFi governance frameworks to preempt latent, non-obvious threats embedded in emergent financial primitives. The total stolen funds were primarily drained from the affected stableswap pool, highlighting the exploit’s focused impact within this specific contract. This exploit underscores the ongoing necessity for rigorous code audits and community vigilance in mitigating DeFi security risks.
Author
Tags
Share article
The post has been shared by 0
people.
