📌 Article Summary
Yearn Finance’s legacy yETH pool suffered a $9 million breach after an attacker exploited a cached-storage vulnerability that enabled an “infinite mint” of yETH using only 16 wei. The incident exposes deep structural risks in dormant DeFi contracts and raises new concerns about aging smart-contract infrastructure across Ethereum.
🛑 What Triggered the yETH Pool Exploit?
Yearn Finance confirmed that its deprecated yETH stableswap pool was compromised on November 30, 2025, after an attacker uncovered a vulnerability in the contract’s accounting logic. While Yearn’s V2 and V3 vaults remained fully secure, the older yETH architecture relied on custom storage arrays and mathematical shortcuts that created a hidden point of weakness. Security researchers classify this as one of the most technically complex DeFi exploits of the year.
⚙️ How Cached Storage Enabled an Infinite Mint Condition
The root of the attack was a desynchronized storage array—packed_vbs[]—which cached token balances to save gas. When the pool’s actual balances correctly reset to zero, the cached values failed to update. This imbalance broke the pool’s invariant. The attacker deposited 16 wei, and the minting function, relying on the outdated cached data and unchecked arithmetic, calculated an astronomically large entitlement. The contract ultimately minted approximately 2.35 × 10³⁸ yETH, creating an “infinite mint.”
🔗 Inside the Attacker’s On-Chain Drain Strategy
After generating the synthetic supply, the attacker routed yETH through interconnected Curve and Balancer pools, swapping it for real ETH and liquid-staking derivatives. Nearly $9 million was drained in minutes. Roughly 1,000 ETH moved through Tornado Cash for obfuscation, while additional assets were scattered across multiple wallets controlling the exploit.
🛠️ Yearn’s Response and Partial Recovery Efforts
Yearn Finance collaborated with blockchain security partners to recover approximately $2.4 million, primarily in pxETH. A full post-mortem is underway, and Yearn is urging users to migrate funds away from legacy, unaudited, or deprecated contracts that may contain similar structural risks.
⚠️ Why This Exploit Matters for DeFi Security
The breach underscores a broader DeFi infrastructure risk: dormant or outdated smart contracts with complex math, caching systems, or historical liquidity. As decentralized finance scales, long-standing contracts that remain active without recurring audits may continue to pose systemic threats across the ecosystem.
⭐ Key Takeaways
- Yearn Finance’s yETH pool lost $9 million due to a cached-storage desynchronization bug.
- A 16-wei deposit triggered an infinite mint producing roughly 2.35 × 10³⁸ yETH.
- The attacker drained the pool using cross-protocol swaps through Curve and Balancer.
- About $2.4 million in pxETH has been recovered so far.
- Legacy contracts pose hidden systemic risks if not retired or re-audited.
- Yearn’s primary vaults (V2/V3) were not affected, highlighting the dangers of older DeFi infrastructure.
📢 Disclaimer
This article is for informational and educational purposes only and does not constitute financial, investment, or trading advice. All reporting is based on verified on-chain data and reputable security analyses. This article was created with AI assistance and editorially curated by Digital News & Investigative Reports (DNIR) for accuracy and journalistic standards. Source: cnirbc.com.
