How did a sophisticated flaw slip through the defenses of Yearn Finance’s yETH liquidity pool, resulting in a loss of approximately $9 million? On November 30, 2025, an attacker exploited a custom StableSwap pool designed for liquid staking tokens by leveraging an infinite mint vulnerability. This allowed the malicious actor to create an unprecedented 235 septillion yETH tokens with minimal capital input, specifically only 16 wei, which is less than a fraction of a cent. The breach exploited technical vulnerabilities embedded in the pool’s internal accounting and highlighted significant risks connected to smart contract implementations, especially regarding cached storage management and logic assumptions. Notably, the exploit was executed using flash-loaned funds to seed the manipulation efficiently.
The root cause of the exploit lay in a flaw within the protocol’s handling of its cached virtual balances, known as packed_vbs[], which were not reset when the pool’s LP token supply dropped to zero. This desynchronization caused the protocol to falsely believe the pool was empty despite residual virtual balances remaining. Attacker strategy involved repeatedly cycling deposits and withdrawals using flash loans, leaving behind residual virtual balances despite emptying the pool. When the pool’s supply reached zero, the system mistakenly considered the pool pristine and, upon the attacker’s minimal deposit of 16 wei, triggered incorrect minting logic which based token issuance on inflated cached balances rather than actual deposits. This capital-efficient mechanism enabled the attacker to extract significant value without substantial initial capital investment.
A caching flaw in LP token accounting enabled infinite minting from minimal deposits after pool depletion.
Technically, the exploit targeted a customized instantiation of the popular StableSwap algorithm, unrelated to other Yearn products, and specifically affected the interaction between the add_liquidity) and remove_liquidity) functions. The attempt to optimize gas costs inadvertently introduced a critical security vulnerability by not properly clearing cached values during liquidity shifts. As a result, approximately $9 million were drained from the pool, which initially contained around $11 million in liquid staking tokens. Portions of the stolen funds were quickly converted into wrapped Ethereum and obfuscated using privacy protocols such as Tornado Cash.
The incident sent ripples through the broader crypto market, triggering a sharp sell-off in major assets including Bitcoin and Ethereum, with Bitcoin’s price falling below $86,000 shortly after. The breach underlined persistent challenges in DeFi composability and the need for rigorous on-chain security audits. Yearn Finance confirmed that only the yETH StableSwap pools were affected, with major vaults and yield markets remaining secure. Despite swift responses from the development team, this event added to the mounting $2.5 billion in crypto losses from hacks and exploits in 2025, reinforcing the cautious approach necessary for participation in DeFi ecosystems moving forward.
