The decentralized finance (DeFi) sector was struck by a significant security incident on November 30, 2025, when hackers exploited a critical vulnerability in Yearn Finance’s yETH pool, leading to the alleged theft of approximately $9 million in Ethereum.
The sophisticated attack saw an unauthorized party mint an extraordinary amount of yETH tokens, specifically 235 septillion, by depositing an almost negligible amount of 16 wei, a value far less than a cent. This event underscores the inherent risks associated with complex smart contract invariants and how optimizations can inadvertently create severe security flaws.
Hackers Exploit Yearn Finance yETH Pool Vulnerability for Millions
The core of the breach was identified within the protocol’s internal accounting mechanisms, particularly its use of cached storage variables known as packed_vbs. These variables were designed to reduce transaction costs by storing virtual balance information. However, they failed to reset correctly when the pool’s liquidity supply dropped to zero, creating a critical discrepancy between the pool’s actual state and its recorded status.
While the main supply counter was reset, the cached values retained phantom balances from previous transactions. Security analysts, including those from Check Point, observed the attacker’s actions and determined that this was not a simple coding error but a fundamental logic flaw in the protocol’s state management. By carefully manipulating the interactions between deposit and withdrawal functions, the attacker successfully deceived the system, convincing it that the pool held substantial assets when it was effectively empty.
This exploit stands out as one of the most capital-efficient attacks recorded in the history of decentralized finance, requiring minimal upfront investment to drain millions of dollars worth of Ethereum-based assets. The investigation into this Yearn Finance yETH pool vulnerability is ongoing, with developers working to patch the flaw and assess the full extent of the damage.
The Mechanics of State Poisoning in the yETH Pool Exploit
The attack was executed through a precise process of state poisoning, exploiting the protocol’s oversight in clearing its cache. The perpetrator reportedly conducted over ten cycles of deposits and withdrawals, utilizing flash-loaned funds. This repetitive action deliberately left minute residual values in the packed_vbs storage slots.
This persistent, accumulated data in the cache remained even after the attacker withdrew all legitimate liquidity, effectively bringing the pool’s total supply to zero. The critical flaw within the protocol’s add_liquidity function was its assumption that a zero supply automatically signaled a pristine, empty pool. Consequently, when the attacker deposited their final minuscule amount of 16 wei, the system did not recalculate based on the new deposit. Instead, it read the stale, non-zero values from the poisoned cache.
This miscalculation led to the erroneous minting of a massive quantity of LP tokens, which granted the attacker complete control over the pool’s assets. These assets were then allegedly swapped for Wrapped Ether (WETH) and subsequently laundered through privacy mixers like Tornado Cash. This incident serves as a critical reminder of the necessity for explicit state management in complex DeFi systems to prevent such financially devastating exploits, particularly concerning smart contract security.
The DeFi community is now awaiting further details from Yearn Finance regarding restitution efforts and any potential upgrades to their security protocols. The ongoing analysis of this state poisoning technique will likely inform future best practices for smart contract development and auditing within the rapidly evolving decentralized finance landscape.