Yearn Finance suffered a devastating security breach on November 30, draining approximately $9 million from its yETH liquid staking pool through an infinite token minting vulnerability.
The incident resulted in losses totaling $9 million, with $8 million extracted from the stableswap pool and $0.9 million from the yETH-WETH stableswap pool on Curve.
The attack executed in a single transaction allowed the exploiter to generate an astronomical number of tokens and drain the entire pool.
According to @yearnfi on X, the protocol immediately launched an investigation into the incident while confirming that Yearn Vaults, both V2 and V3 versions, remained completely unaffected by the breach.
The team activated withdrawal support for yETH positions, enabling holders to convert their balances back to ETH through the platform's withdrawal system.
Security firm PeckShieldAlert reported on X that the exploit involved creating a near-infinite quantity of yETH tokens, which depleted the pool in one swift transaction.
Blockchain data reveals the attacker transferred approximately 1,000 ETH, valued at roughly $3 million, through Tornado Cash mixer to obscure the transaction trail.
Mathematical Flaw Enables Massive Token Generation
The vulnerability stemmed from a critical error in the pool's smart contract code that manages the invariant calculation.
As detailed by @ILIA_0x on X, the attack exploited a mathematical logic error in the state update mechanism of the weighted stableswap pool.
The contract stored a stateful variable called packed_pool_vb to track the virtual balance product, updating it incrementally after each swap for gas efficiency.
However, the swap function contained a fundamental flaw when adjusting this product term. The code correctly multiplied by the numerator but completely omitted the required division by the denominator.
This missing division operation injected a multiplication factor of approximately 10^36 into the stored state, causing the virtual balance product to explode to an astronomically high value.
When the attacker subsequently called the add_liquidity function, the contract's Newton's method solver converged on a massive total supply figure, minting 2.35 × 10^38 yETH tokens for the exploiter.
With quintillions of LP tokens now in possession, the attacker rightfully claimed 100% of the pool's underlying assets, including wstETH, rETH, and sfrxETH, according to the contract's broken logic.
Protocol Response and Security Measures
Yearn confirmed a comprehensive post-mortem investigation is underway in partnership with SEAL 911 and ChainSecurity, noting the hack exhibits complexity levels comparable to the recent Balancer exploit.
The team emphasized that no other Yearn products utilize similar code to the compromised contract.
The attacker deployed several smart contracts minutes before executing the exploit, which self-destructed immediately following the theft to complicate forensic analysis.
PeckShieldAlert identified the exploiter's address as 0xa80d...c822, which currently holds cryptos valued at approximately $6 million.
Blockchain security experts point to this incident as evidence of escalating sophistication in DeFi attacks.
The exploit demonstrates how stateful mathematical operations in complex AMM designs can create catastrophic vulnerabilities when even single operations are incorrectly implemented.
The breach serves as a reminder that storing results of complex product calculations for incremental updates carries significant risk.
Errors accumulate permanently, and dimensional mismatches in weighted mathematics can break solver convergence bounds entirely.
Yearn Finance previously experienced an $11 million exploit in 2021 affecting its yDAI vault, though that incident resulted in the attacker obtaining only $2.8 million. In December 2023, the protocol reported a faulty script that eliminated 63% of a treasury position, though user funds remained secure.
The current investigation continues as the team works to determine the full scope of the vulnerability and implement safeguards preventing similar incidents across the DeFi ecosystem.
Related reading: Rugproof Launchpad—The Launchpad That Might Be the Next Rug Pull Trap
Related reading: Asymmetric Funds Pivot After $10M Loss Sparks Investor Alarm
This Article First Appeared on: https://www.cryptonewslive.org/article/yearn-finance-loses-9m-in-infinite-mint-attack
