Yearn Finance yETH Pool Exploited via Cached Storage Flaw
Summary
Hide ▲
Show ▼
An attacker exploited a vulnerability in Yearn Finance's yETH pool on Ethereum, draining approximately $9 million in assets. The flaw stemmed from a desynchronization in the pool's cached storage system, allowing the attacker to mint an excessive amount of yETH tokens after depositing a negligible amount. The exploit involved a complex series of transactions, including flash loans and repeated deposit-withdrawal cycles, to manipulate the pool's virtual balances.
Timeline
-
03.12.2025 17:30 1 articles · 23h ago
Yearn Finance yETH Pool Exploited via Cached Storage Flaw
An attacker exploited a vulnerability in Yearn Finance's yETH pool on Ethereum, draining approximately $9 million in assets. The flaw stemmed from a desynchronization in the pool's cached storage system, allowing the attacker to mint an excessive amount of yETH tokens after depositing a negligible amount. The exploit involved a complex series of transactions, including flash loans and repeated deposit-withdrawal cycles, to manipulate the pool's virtual balances.
Show sources
- Yearn Finance yETH Pool Hit by $9M Exploit — www.infosecurity-magazine.com — 03.12.2025 17:30
Information Snippets
-
The attacker minted 235 septillion yETH tokens after depositing only 16 wei, valued at approximately $0.000000000000000045.
First reported: 03.12.2025 17:301 source, 1 articleShow sources
- Yearn Finance yETH Pool Hit by $9M Exploit — www.infosecurity-magazine.com — 03.12.2025 17:30
-
The vulnerability was due to a desynchronization in the yETH pool's cached storage system, which failed to reset cached values when the main supply counter was reset to zero.
First reported: 03.12.2025 17:301 source, 1 articleShow sources
- Yearn Finance yETH Pool Hit by $9M Exploit — www.infosecurity-magazine.com — 03.12.2025 17:30
-
The exploit involved six distinct phases, including borrowing assets through flash loans, polluting virtual balances, and converting stolen assets into ETH.
First reported: 03.12.2025 17:301 source, 1 articleShow sources
- Yearn Finance yETH Pool Hit by $9M Exploit — www.infosecurity-magazine.com — 03.12.2025 17:30
-
The attacker used various DEXs and Tornado Cash to launder the stolen funds.
First reported: 03.12.2025 17:301 source, 1 articleShow sources
- Yearn Finance yETH Pool Hit by $9M Exploit — www.infosecurity-magazine.com — 03.12.2025 17:30