In a significant breach of decentralized finance (DeFi) security, hackers exploited a critical vulnerability within Yearn Finance’s yETH pool, resulting in the theft of approximately $9 million. The exploit arose from a flaw in the pool’s internal accounting, specifically within the handling of cached virtual balances stored in a system referred to as packed_vbs[]. When liquidity was withdrawn and the main supply counter reset to zero, these cached balances failed to reset accordingly. This mismatch caused a desynchronization that misled the protocol into perceiving the pool as empty, despite residual phantom balances persisting in storage. This incident highlights the challenges that remain despite ongoing efforts in vulnerability detection within DeFi projects.
Yearn Finance’s yETH pool suffered a $9 million breach due to a critical cached balance desynchronization flaw.
The attacker capitalized on this vulnerability through a multi-phase operation, beginning with flash loans to initiate rapid cycles of deposits and withdrawals. This process intentionally polluted the virtual balance cache with small residual values that compounded over repeated transactions. Subsequently, all liquidity provider (LP) tokens were burned, resetting the supply count to zero while leaving the faulty cached balances intact. Exploiting the flawed “first deposit” logic, the attacker then deposited minuscule amounts—just 16 wei, a fraction of an Ethereum unit—to trigger infinite minting of yETH tokens amounting to an astronomical 235 septillion units. This massive minting was possible due to the protocol basing calculations on inflated cached values rather than actual collateral deposited internal accounting flaw. This exploit is notable as one of the most capital-efficient DeFi exploits ever observed, leveraging minimal initial capital for maximum asset extraction.
The minted yETH tokens, based on stale and inaccurate virtual balances rather than real collateral, were exchanged for various underlying liquid staking derivatives such as wstETH, rETH, cbETH, and others pooled within yETH. These assets were then converted to ETH through decentralized exchanges including Uniswap V3 and Balancer. A portion of approximately 1,000 ETH was subsequently routed through Tornado Cash, a privacy mixer platform, thereby obscuring the source and complicating recovery efforts.
The yETH pool attack stands among the most impactful DeFi exploits of 2025, with roughly $8 million lost from the primary stableswap pool and an additional $0.9 million drained from the yETH-WETH Curve pool. Despite the scale of the loss, Yearn’s primary V2 and V3 vaults remained unaffected, as this particular vulnerability was isolated within the custom stableswap contract variant deployed for yETH. The incident underscores the inherent risks in complex accounting mechanisms within DeFi protocols and highlights the pressing need for rigorous contract audits and balance synchronization safeguards.
