Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 254Smart Contract Bug

Yearn yETH Infinite Mint

Yearn's yETH StableSwap pool minted 235 septillion yETH from a 16-wei deposit after a liquidity removal reset supply to zero but left cached virtual balances.

Date
Victim
Yearn Finance
Chain(s)
Ethereum
Status
Partially Recovered

On November 30, 2025, Yearn Finance's custom yETH StableSwap pool was exploited for approximately $9 million through what Check Point Research called the "16 Wei Exploit" — the attacker minted 235 septillion yETH (2.35 × 10^23 tokens) from a deposit of 16 wei (worth approximately $0.00000000000000005). The bug: stored virtual balances persisted in storage after a liquidity removal that reset the pool's supply to zero. Yearn recovered $2.39M through coordinated clawback with the Plume and Dinero teams.

What happened

Yearn's yETH product was a StableSwap-style pool aggregating various ETH-pegged liquid staking tokens. To reduce gas costs during operations, the pool implementation used a packed_vbs[] array — stored virtual balances cached in storage so the protocol could avoid expensive cross-contract reads on every operation.

The vulnerability lived in the gap between two state-mutation paths:

  1. The pool's totalSupply counter reset to zero when all liquidity was removed — the standard "vault is empty" state.
  2. The cached packed_vbs[] virtual balances did NOT reset when supply went to zero — they retained their last-recorded values from before the liquidity removal.

This left the pool in a phantom state: from the protocol's accounting view, the supply was zero, but the cached virtual balances still recorded substantial value. Any subsequent deposit would calculate share price as (cached_value + new_deposit) / new_supply — and with new_supply being the only thing actually scaled by the deposit, even a microscopic deposit would produce astronomical share-price calculations.

The attack:

  1. Detected the pool in its phantom state — empty supply, non-zero cached virtual balances.
  2. Deposited 16 wei — a quantity so small it would normally be ignored or rejected.
  3. The pool computed share allocation as a function of the cached balances, minting ~235 septillion yETH tokens to the attacker against the 16-wei deposit.
  4. Swapped the minted yETH through Curve's yETH-WETH pool, extracting approximately $900,000 in real ETH from Curve.
  5. Continued draining: the yETH stableswap pool itself was emptied for an additional $8 million as the attacker exercised their absurd share holding against the underlying pool reserves.

Total extraction: approximately $9 million in ETH and ETH-LST equivalents. 1,000 ETH (~$3M) was funneled to Tornado Cash within hours.

Aftermath

  • Yearn paused yETH operations and worked with downstream protocols holding yETH to coordinate response.
  • A clawback operation with the Plume and Dinero teams recovered 857.49 pxETH (~$2.39M) — funds that had been bridged to Plume's chain and could be reversed through coordinated state intervention.
  • Yearn emphasised — and verified on-chain — that v2 and v3 vaults and other products were unaffected; the bug was specific to the custom yETH stableswap implementation.
  • The attacker's remaining proceeds were laundered through Tornado Cash and cross-chain bridges.

Why it matters

The yETH exploit is one of the cleanest 2025 cases for how performance optimisations create new attack surface. The packed_vbs[] storage caching was a legitimate gas-saving design choice — cross-contract reads to fetch each LP token's balance would have made every yETH operation prohibitively expensive. But the cache created state that diverged from the pool's actual underlying reality, and the bug was in how that divergence was handled at edge cases.

The structural lessons:

  1. Cached state has invariant requirements separate from the underlying source-of-truth. Every code path that mutates supply, balances, or share calculations must also reason about whether the cache is still valid — and either invalidate it explicitly or assert the invariants that depend on it.
  2. Edge cases involving zero-supply states are particularly dangerous for share-price calculations. The standard mitigation — dead-shares minting at pool deployment to prevent supply from ever reaching zero — has been documented since at least 2021. Yearn's custom yETH pool was deployed without this pattern.
  3. The "16 wei" framing is a striking communication artefact — the attacker's 16-wei deposit ($0.00000000000000005) producing $9M in extraction is one of the highest economic-leverage exploits ever recorded. The asymmetry is the recurring lesson at the boundary between gas-efficient implementation and adversarial safety.

This was Yearn's third major incident in protocol history (after the iEarn legacy contract exploit in April 2023 and a 2021 smaller incident). The team's response — fast pause, coordinated cross-protocol clawback, transparent post-mortem — has been one of the cleaner incident-response performances of 2025.

Sources & on-chain evidence

  1. [01]dlnews.comhttps://www.dlnews.com/articles/defi/yearn-finance-looted-for-9m-after-attacker-minted-trillions/
  2. [02]theblock.cohttps://www.theblock.co/post/381740/yearn-finance-9-million-yeth-exploit-confirms-partial-recovery-outlines-remediation
  3. [03]research.checkpoint.comhttps://research.checkpoint.com/2025/16-wei/

Related filings