Yearn - Rekt III: Exploit Analysis
Executive Summary
Yearn Finance experienced its third major security incident on November 30, 2025, involving the yETH liquid staking token pool. An attacker exploited legacy code containing an unchecked arithmetic underflow vulnerability, minting approximately 235 trillion yETH tokens and draining $9 million from the pool.
What Happened
On November 30th at 21:11 UTC, a single atomic transaction compromised Yearn's yETH stableswap pool. The attack resulted in:
• $8 million drained from the yETH stableswap pool
• $0.9 million siphoned from the yETH-WETH Curve pool
• ~1,000 ETH (~$3 million) immediately laundered through Tornado Cash
• $2.33 million later recovered through coordinated efforts with Plume and Dinero teams
• $3.84 million remaining in attacker's primary wallet
The V2 and V3 vault infrastructure remained unaffected throughout the incident.
Technical Root Cause
The vulnerability stemmed from a custom stableswap contract implementing novel invariant mathematics for liquid staking token aggregation. The core issue involved unchecked arithmetic underflow in a Newton-Raphson solver function (
calc_supply()).Key technical failures:
• Corrupted invariant state: The pool's balance sum (Σ) and balance product (Π) relationship drifted from mathematical validity through repeated operations
• Rounding asymmetry: Differences between
pow_up and pow_down functions introduced systematic drift• Unchecked arithmetic: The calculation
s' = (A_Σ - s_r) / (A - PREC) could produce negative values, which wrapped to 2²⁵⁶ in EVM arithmetic• Rebasing complications: OETH's automatic balance rebasing further corrupted the invariant
• No sanity checks: The code failed to validate that calculated values remained physically plausible
As noted in the analysis: "When AΣ < sr, the numerator goes negative. In EVM arithmetic, negative wraps to 2²⁵⁶, creating a number around 10⁷⁷."
Attack Vector and Exploit Steps
Step 1: Invariant Corruption
The attacker triggered multiple
remove_liquidity(0) calls—withdrawals of zero value that still triggered balance recalculations. Combined with update_rates() operations, this gradually corrupted the relationship between actual balances and the mathematical invariant.Step 2: Detonation Sequence
The attacker then deposited minimal dust amounts:
• 1 wei of wstETH
• 1 wei of rETH
• 1 wei of cbETH
• 9 wei of mETH
This trivial deposit triggered the
calc_supply() Newton-Raphson solver, which attempted to calculate LP tokens due for the deposit amount.Step 3: Arithmetic Overflow Exploitation
With amplification factor A = 4.5 × 10²⁰ and corrupted invariant state, the solver's calculation produced:
• D_new ≈ 2.3544 × 10⁵⁶
The pool minted this enormous quantity of yETH tokens directly to the attacker's address.
Step 4: Asset Drainage
Helper contracts deployed minutes before the attack used the counterfeit LP tokens to execute single-asset withdrawals, draining real liquidity. These contracts self-destructed to obscure the bytecode trail.
Financial Impact
| Component | Amount |
|---|---|
| yETH stableswap pool loss | $8,000,000 |
| yETH-WETH Curve pool loss | $900,000 |
| Total Loss | $9,000,000 |
| Tornado Cash laundering | ~$3,000,000 |
| Recovered funds | $2,330,000 |
| Remaining in attacker wallet | $3,840,000 |
Key Addresses and Transactions
Attacker Infrastructure:
• Primary attacker address:
0xa80D3F2022F6Bfd0B260bF16D72CaD025440C822• Secondary attacker address:
0xFb63aa935Cf0a003335dCE9Cca03c4F9c0fa4779• Main attack contract (self-destructed):
0xB8e0A4758Df2954063Ca4ba3d094f2d6EdA9B993• Helper contract:
0xbb2789b418fA18f9526bA79fa7038d4e6d753f73• Loot/Tornado pipeline wallet:
0x3e8e7533dcf69c698Cf806C3DB22f7f10B9B0b97Key Transactions:
• Funding via Railgun:
0x68f88d2ffcef1ceafde26fc290cf1d31ff9a461b4ee2aeb68da8aa9cf70e600c• Attack execution:
0x53fe7ef190c34d810c50fb66f0fc65a1ceedc10309cf4b4013d64042a0331156• Recovery operation:
0x0e83bb95bb9d05fb81213b2fad11c01ea671796752e8770b09935f7052691c35Exploited Pool:
0x69accb968b19a53790f43e57558f5e443a91af22Remediation and Response
Immediate Actions:
• Yearn established incident response war room with SEAL911 and ChainSecurity
• Coordinated recovery efforts with Plume and Dinero teams
• Successfully recovered approximately 857.49 pxETH ($2.33 million)
• Confirmed V2 and V3 vault infrastructure remained secure
Root Cause Assessment:
The fundamental issue was architectural: yETH operated as an isolated legacy product with custom mathematics that had effectively been abandoned post-development. The codebase contained no active maintenance, monitoring, or ongoing security audits despite processing millions in liquidity.
Key Finding from Post-Mortem:
The analysis revealed: "It was a separate product with quite complex/novel math; it doesn't share any code with vaults." This isolation meant security attention flowed to active products while legacy systems degraded unnoticed.
Systemic Lessons
This marked Yearn's third major exploit:
1. 2021: $11 million flash loan attack
2. 2023: yUSDT misconfiguration exploit
3. 2025: yETH legacy code underflow
The persistent pattern suggests organizational vulnerability: when products transition to maintenance mode, the distinction between "operational" and "abandoned" blurs dangerously. Legacy code running production math but receiving minimal oversight creates systematic risk.