$9 Million Stolen: Analysis of the Yearn yETH Pool Vulnerability

Background

On December 1, 2025, Yearn — a long-standing decentralized yield aggregation protocol — was exploited, leading to losses of roughly $9 million. The SlowMist safety workforce has performed the following detailed evaluation of the incident:

Root Cause

The vulnerability stems from the logic inside the _calc_supply operate used to calculate provide in Yearn’s yETH Weighted Stableswap Pool contract. Due to unsafe mathematical operations, the operate permits overflow and rounding throughout calculation. This flaw results in a big deviation when computing the product of the new provide and digital stability, enabling attackers to govern liquidity to particular values and mint an extreme provide of LP tokens, thereby profiting illicitly.

Prerequisite Knowledge

yETH is an Automated Market Maker (AMM) pool composed of numerous Ethereum liquid staking derivatives (LSTs). Users can deposit LSTs into the pool to offer liquidity and obtain yETH tokens in return. Each LST asset has an related fee supplier, and the asset stability in the pool multiplied by its fee is known as the digital stability (vb), calculated as follows:

The contract maintains a variable D, which represents the complete LP token provide when the pool is totally balanced. Any improve or lower in the worth of D ends in a proportional minting or burning of LP tokens (yETH). This mechanism ensures a 1:1 peg, calculated utilizing the following system:

Here, σ represents the sum of all digital balances (vb_sum) and π represents the product of all digital balances (vb_prod). The digital stability product (vb_prod) is up to date throughout the provide recalculation course of, utilizing the following methodology:

Attack Analysis

Attack Transaction:

0x53fe7ef190c34d810c50fb66f0fc65a1ceedc10309cf4b4013d64042a0331156

1. The attacker first executed a flash mortgage to borrow a big quantity of LST property, together with wstETH, rETH, WETH, 0xa35b_ETHx, rETH, wstETH, and cbETH.

Notably, half of the WETH was swapped into ETH and deposited into Tornado Cash. The attacker then withdrew funds from Tornado Cash, which triggered the fallback operate of the malicious contract and initiated the assault:

2. Inside the malicious contract, the attacker first referred to as the update_rates operate of the yETH pool contract to replace the corresponding fee suppliers for six LST property and rebalance pool liquidity. Immediately afterward, they used 800 WETH to mint yETH LP tokens, particularly yETH.

3. The attacker then carried out 5 consecutive cycles of eradicating and re-adding liquidity. During the removing part, yETH was burned, and the attacker redeemed all eight LST property from the pool primarily based on their respective weights. However, when including liquidity again, the attacker solely provided liquidity for some of the property and didn’t embody cbETH, wOETH, or mETH.

After the fifth liquidity addition, the complete digital stability product (vb_prod) is up to date to 0, and the provide variable D is up to date to a price near the complete digital stability (vb_sum), which is considerably bigger than anticipated.

So why does this occur? Let’s dive into the _calc_supply operate to research the conduct.

The operate recalculates the new provide by an iterative loop, and inside every iteration, a further nested loop of eight rounds recalculates the up to date product worth for the subsequent cycle. The provide calculation in every iteration may be simplified as: s’ = (l — s * r) / d, whereas the product replace may be simplified as: r’ = r * (s’ / s)⁸.

Based on a Foundry simulation of the assault sequence, the present intermediate values are: the provide (_supply) is roughly 2.51e21, the complete digital stability (_vb_sum) is roughly 1.0903e22, the digital stability product (_vb_prod) is roughly 3.5e15, and the amplification parameter (_amplification) stays fixed at 4.5e20.

In the first iteration, the result’s: s’ = ((4.5e20 * 1.0903e22) — 2.51e21 * 3.5e15) / (4.5e20–1e18) ≈ 1.0927e22, and r’ = 3.5e15 * (1.09e22 / 2.5e21)⁸ ≈ 4.57e20. In the second iteration, the consequence turns into: s’ = ((4.5e20 * 1.0903e22) — 1.0927e22 * 4.57e20) / (4.5e20–1e18) ≈ 1.94e18. This step triggers the core vulnerability exploited in the assault: throughout the new provide calculation, the numerator subtracts s × r from l utilizing the unsafe_sub operate, which doesn’t carry out overflow checks. As a consequence, the calculation underflows and produces a price of roughly 1.94e18, which is considerably smaller than the earlier provide worth.

When calculating the new product r′, the up to date worth s′ is considerably smaller than the unique s, inflicting the recalculated digital stability product (vb_prod) to be rounded all the way down to 0.

Since the new product r′ is rounded to 0 , all subsequent iterations produce a set provide worth:

s’ = ((4.5e20 * 1.0903e22) — 0) / (4.5e20–1e18) ≈ 1.0927e22. This worth turns into the last LP complete provide (≈ 1.0927e22), whereas the digital stability product is saved as 0 in the contract. As a consequence, the attacker is issued an incorrect and inflated quantity of yETH.

With the manipulated digital stability product and complete provide in place, the attacker then provides single-sided liquidity once more utilizing cbETH, permitting them to mint considerably extra yETH than they need to have acquired by regular operation.

4. The attacker then restores the digital stability product (vb_prod) to a non-zero worth by performing a liquidity removing with an quantity of 0. Let’s look at the remove_liquidity operate:

We can observe that in liquidity removing, even when the LP quantity supplied is 0, the digital stability product is recalculated and up to date. The calculation system is as follows:

Here, D represents the complete provide, wᵢ represents the weight of every asset, and vbᵢ is the new digital stability of every asset after deducting the redeemed quantity. Since the LP quantity supplied is 0, the digital balances stay the similar as earlier than. The recalculated digital stability product (vb_prod) is roughly 9.09e19, whereas the complete digital stability and complete provide stay unchanged, equal to the values after the earlier single-sided liquidity addition (vb_sum ≈ 1.0926e22, provide ≈ 1.095e22).

Next, the update_rates operate is known as to replace the alternate fee for the wOETH asset. Let’s look at the update_rates operate:

Firstly, the newest alternate fee for wOETH is fetched from the fee supplier handle. If the fee has modified, the new fee is used to replace the digital stability product (vb_prod), the corresponding asset digital balances, and the complete digital stability. Afterwards, the _update_supply operate is known as to replace the complete LP provide. This explains why no liquidity was added for wOETH throughout the earlier take away/add cycles — if the fee had modified, _update_rates would have been invoked throughout liquidity addition to replace the fee. It is simply at this step that the attacker can leverage a fee distinction to revive the manipulated vb_prod and complete provide.

During this course of, the _calc_supply operate continues to be referred to as to compute the new provide and digital stability product. Since the digital balances have already been restored to non-zero values, the newly computed provide is smaller than the earlier provide, and the corresponding yETH is burned by the contract.

At this level, the values of the digital stability product (vb_prod), the digital stability sum (vb_sum), and the complete provide have been up to date as follows: vb_prod ≈ 4.34e19, vb_sum ≈ 1.0926e22, provide ≈ 9.98e21.

5. The attacker then redeemed all LP tokens minted from the two earlier liquidity additions through the remove_liquidity operate. Because these LP tokens have been minted throughout the third step when the provide was artificially inflated, and redemption occurred throughout the fourth step when the provide was restored and decreased, the attacker might redeem extra tokens than usually anticipated, thereby lowering the pool’s asset balances and complete provide.

The attacker repeated the similar manipulation in cycles, steadily lowering the LP provide and digital balances. Notably, the rebase operate of the OETHVaultCore contract was referred to as to replace the wOETH alternate fee, permitting the update_rates operate to fetch the new fee and restore the complete digital stability product and provide.

After the last manipulation, the attacker was in a position to empty all property from the pool following a liquidity removing, leaving vb_prod, vb_sum, and complete provide all equal to 0.

6. With the pool utterly drained, the attacker started including mud liquidity to the empty pool.

Since the underlying eight LSD property all have alternate charges near 1e18, including a mud quantity of tokens ends in every asset’s digital stability being equal to the token quantity. With the complete provide at 0, including liquidity triggers the inside _calc_vb_prod_sum operate, which recalculates the digital stability product (vb_prod), complete digital stability, and present complete provide.

These values are then handed into _calc_supply to calculate the new provide, i.e., the LP quantity minted for the attacker. During an iteration in _calc_supply, an unsafe_mul overflow happens, inflicting the computed provide to achieve an unlimited worth (2.354e56), which permits the attacker to mint the corresponding quantity of yETH.

7. Finally, the attacker immediately offered the yETH by the AMM to alternate it for different property and repaid the flash mortgage, realizing their revenue.

MistTrack Analysis

According to on‑chain tracing and AML intelligence platform MistTrack, the attacker profited roughly $9 million from this incident. The preliminary funding seems to originate from a small quantity of ETH transferred from Railgun.

After launching the assault, the attacker first transferred 1,100 ETH to Tornado Cash, of which 100 ETH was withdrawn for additional exploitation.

The remaining revenue, roughly $6 million — together with 128 ETH, 48.96 cbETH, 203.55 rETH, 742.63 frxETH, 857.48 pxETH, and 167.67 stETH — was consolidated and transferred to the handle 0xa80d3f2022f6bfd0b260bf16d72cad025440c822.

Notably, Yearn later recovered roughly $2.4 million by burning the pxETH held by the attacker. The 857.48 pxETH was subsequently re‑minted and returned to the Redacted Cartel multisig pockets.

MistTrack has flagged the associated addresses and can proceed to observe any uncommon fund actions.

Summary

The core of this assault lies in the attacker exploiting overflow and rounding vulnerabilities attributable to unsafe mathematical operations inside the logic used to calculate LP provide when including liquidity to Yearn’s yETH Weighted Stableswap Pool contract. By rigorously crafting particular digital stability values and provide parameters to amplify the ensuing calculation errors, the attacker was in a position to mint an excessively great amount of LP tokens and revenue from it.

The SlowMist safety workforce recommends that undertaking groups and auditors strengthen protection testing for excessive situations and edge instances in related eventualities. Additionally, safe arithmetic operations with correct validation needs to be applied when computing key variables to stop extreme vulnerabilities — resembling overflow — from undermining protocol safety.

Reference
https://github.com/banteg/yeth-exploit/blob/main/report.pdf

About SlowMist

SlowMist is a menace intelligence agency centered on blockchain safety, established in January 2018. The agency was began by a workforce with over ten years of community safety expertise to change into a worldwide pressure. Our aim is to make the blockchain ecosystem as safe as attainable for everybody. We are actually a famend worldwide blockchain safety agency that has labored on numerous well-known tasks resembling HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, and so on.

SlowMist affords a spread of providers that embody however should not restricted to safety audits, menace data, protection deployment, safety consultants, and different security-related providers. We additionally provide AML (Anti-money laundering) software program, MistEye (Security Monitoring), SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and different SaaS merchandise. We have partnerships with home and worldwide corporations resembling Akamai, BitDefender, RC², TianJi Partners, IPIP, and so on. Our intensive work in cryptocurrency crime investigations has been cited by worldwide organizations and authorities our bodies, together with the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a complete safety answer custom-made to particular person tasks, we will establish dangers and stop them from occurring. Our workforce was capable of finding and publish a number of high-risk blockchain safety flaws. By doing so, we might unfold consciousness and lift the safety requirements in the blockchain ecosystem.