DeFi

Yearn Finance yETH Pool Hit by $9M Exploit

A significant vulnerability in Yearn Finance’s yETH pool on Ethereum has enabled an attacker to drain about $9m in assets.

According to new findings released by Check Point Research (CPR), the flaw in the pool’s internal accounting allowed the perpetrator to mint 235 septillion yETH tokens after depositing only 16 wei, worth roughly $0.000000000000000045 at the time of the attack.

The cybersecurity researchers said a critical oversight in the pool’s cached storage system created the opening.

The yETH pool uses stored virtual balances, known as packed_vbs[], to reduce gas costs during operation.

When all liquidity was removed from the pool, the main supply counter reset to zero, but the cached values did not. This desynchronization led the protocol to believe the pool was empty even though leftover phantom balances remained in storage.

The attacker took advantage of this by repeatedly cycling deposit and withdrawal transactions through flash loans. Each pass left behind small residual virtual balances that accumulated over time.

After completely emptying the pool, the attacker deposited tiny amounts across eight supported tokens. The protocol interpreted the action as a first-time deposit and minted tokens based on the inflated cached values instead of the negligible input.

Read more on Ethereum-related attacks: DeFi Protocol Balancer Loses Over $120m in Cyber Heist

The intrusion progressed in six distinct phases:

The attacker ultimately exchanged the stolen LSD assets, including wstETH, rETH and cbETH, into ETH through various DEXs before routing a portion through Tornado Cash.

CPR noted that the incident underscores the risk created by complex AMM mechanics and gas-saving optimizations.

“For defenders, this exploit reinforces that correctness in complex systems requires explicit handling of ALL state transitions, not just the happy path,” they said.

The company added that the breach could have been prevented with transaction simulation, sequence-level monitoring and automated blocking of abnormal minting behavior.

Read more on Infosecurity Magazine

This news is powered by Infosecurity Magazine Infosecurity Magazine
Bybit WSOT Launches First Onchain Wave on Solana with Over $1 Million in Rewards – CryptoCurrencyNews
Coinbase Urges U.S. Treasury to Reform Anti-Money Laundering Rules – Crypto Economy
Byreal Signals Dawn of Onchain Capital Markets with Bold Debut at Solana APEX
Top 3 Presales for 2025: MAGACOIN FINANCE Leads Ahead of Remittix, BlockDAG and Bitcoin Hyper
Best Crypto To Buy Now Debate Centers Around Remittix, VeChain, Hedera & Pi Coin In September
Share This Article
Previous Article DeFi Crypto Mutuum Finance (MUTM) Approaches 100% Allocation in Phase 6 Ahead of Q4 V1 Launch
Next Article SEC to Introduce Innovation Exemption for Crypto – FinanceFeeds