Yearn $9M Asset Hack Deep Dive: From Protocol Vulnerability to USD Value Evaporation

December 1, 2025, the Yearn protocol experienced a meticulously planned multi-layered composite attack in DeFi history, ultimately resulting in approximately $9 million of user assets being wiped out. This was not a simple single-point vulnerability exploit, but a systemic destruction where attackers leveraged flash loans to mobilize funds, breached protocol defenses layer by layer, infinitely minted yETH-related LP tokens, and finally drained the liquidity pool. This incident once again warns the entire industry: the security risk of DeFi protocols does not lie in a single vulnerability, but in the cumulative explosion of multiple flaws — this is currently the most difficult attack pattern for the industry to defend against.

Event Overview: How Flash Loans Became the Lever for Multi-Stage Attacks

The attacker’s capital preparation strategy appears ordinary but laid the foundation for a series of chained operations. They simultaneously initiated flash loans from Balancer and Aave, borrowing large amounts of wstETH, rETH, WETH, ETHx, cbETH, and other ETH derivatives. These assets did not go directly into trading but were carefully allocated: out of 1100 ETH, 100 were sent to Tornado.Cash for mixing — the real purpose of this step was to obscure the source of funds and pave the way for subsequent “money laundering” operations.

After mixing, the attacker withdrew 100 ETH to a malicious contract address 0x3e8e7533dcf69c698Cf806C3DB22f7f10B9B0b97 and triggered its fallback function. In this covert callback, all borrowed assets were converted into yETH LP tokens in the weighted stableswap pool — equivalent to purchasing a “share certificate” of this liquidity pool. On the surface, this was a normal liquidity injection, but in reality, it was the final preparation for a clever “pool draining” trick.

Three Core Vulnerabilities: Precision Loss, Yield Stripping, Zero Supply Initialization as a Deadly Combo

First Layer Vulnerability: Precision Loss and Costless State Tampering

The technical core of the entire attack hinges on a seemingly insignificant code flaw: the remove_liquidity function does not short-circuit when the input amount is zero.

The attacker’s first move was to deliberately create an extreme imbalance in the pool’s assets. They repeatedly called add_liquidity, skipping the injection of tokens at index 3 (rETH), index 6 (wOETH), and index 7 (mETH), artificially widening the ratio gap among these three assets and others. Then, they unilaterally injected a large amount of rETH to further exacerbate the imbalance.

In this extremely unbalanced pool state, the attacker called remove_liquidity with an input amount parameter of 0. According to normal logic, removing 0 tokens should immediately return without any state change. But the pool.vy contract did not do this — it still executed the full vb_prod (virtual balance product) calculation loop.

Under the extreme weight imbalance, the _pow_down function (which performs floor calculations) caused significant precision loss. The contract incorrectly computed a smaller vb_prod value and wrote this tampered value into the global state packed_pool_vb. Essentially, the attacker successfully tampered with the entire pool’s book value with a “costless” operation (without transferring any tokens).

Second Layer Vulnerability: Yield Stripping and Share Erosion

The second vulnerability is more covert. When the attacker calls update_rates, it triggers the internal _update_supply logic. Because vb_prod had been maliciously lowered, the system perceived the total pool value to have shrunk sharply. To balance the books, the contract automatically destroyed a large portion of LP tokens held by the Staking contract.

The attacker precisely exploited this by arbitraging before and after the rate update. Each time update_rates was called to update specific assets’ (like wOETH, mETH) exchange rates, they immediately called remove_liquidity to extract assets. Since the shares in the Staking contract were destroyed en masse, the attacker’s LP share proportion increased passively. Repeating this “update-then-withdraw-then-destroy” cycle, the attacker drained the actual balances of wOETH and mETH, pushing the pool’s Total Supply toward a dangerous zero boundary.

Third Layer Vulnerability: Zero Supply Infinite Minting at the Critical Point

After the first two phases, the pool was drained: Total Supply approached 0, and balances of wOETH and mETH were extremely low. At this point, the attacker launched the final fatal blow: calling add_liquidity with parameters [1, 1, 1, 1, 1, 1, 1, 9] — injecting 1 wei (the smallest unit) into each of the first seven assets, and 9 wei into the eighth (mETH).

This seemingly absurd operation triggered a calculation crash in the contract at the critical moment of destruction. The _calc_supply iteration formula failed to handle such tiny values, ultimately causing the contract to erroneously mint 235,443 yETH LP tokens. This equates to creating millions of dollars worth of fake assets out of thin air.

Four-Stage Attack Breakdown: From Extreme Imbalance to Infinite Minting

Stage 1: Capital Preparation and Pool State Initialization

• Borrowed various ETH derivatives from Balancer and Aave
• Used Tornado.Cash to obfuscate fund sources
• Swapped all mixed funds and borrowed assets into yETH LP tokens

Stage 2: Artificial Creation of Extreme Imbalance

• Repeatedly injected liquidity unilaterally, skipping specific tokens (rETH, wOETH, mETH)
• Injected large amounts of rETH to further widen imbalance
• Created mathematical conditions conducive to precision loss

Stage 3: Yield Stripping and Share Erosion

• Triggered precision loss by calling remove_liquidity(0)
• Called update_rates to update exchange rates, causing LP tokens in the Staking contract to be destroyed
• Repeated arbitrage operations, draining wOETH and mETH balances
• Pushed the pool’s Total Supply toward zero

Stage 4: Zero Supply Infinite Minting

• At the brink of destruction, called add_liquidity([1,1,1,1,1,1,1,9])
• _calc_supply calculation failed, erroneously minting 235,443 LP tokens
• Attacker used exchange and redeem to convert assets
• Repaid flash loans and exchanged assets into Bitcoin, USD, etc., for liquidation

Fund Tracking and Liquidation Path: From yETH to USD Value Loss

The climax of this attack is the escape of funds. The attacker’s 235,443 LP tokens, after a series of exchange operations, were gradually converted into ETH and stablecoins. These assets were further exchanged on DEX pairs into Bitcoin and other more anonymous assets, ultimately offloaded via OTC platforms into cash or Bitcoin. Throughout this process, approximately $9 million of user funds were openly transferred on-chain from the protocol’s balance to the attacker’s wallet, then gradually converted into USD, Bitcoin, and other final assets, escaping entirely.

Industry Lessons: How DeFi Protocols Can Prevent Complex Composite Attacks

The key lessons from this incident are threefold:

Lesson 1: Strengthen Edge Case Validation DeFi protocols must rigorously validate edge scenarios such as “zero amount” and “extreme imbalance.” For example, remove_liquidity should immediately return when receiving a zero parameter, rather than executing the full calculation loop. Such “short-circuit handling” may seem simple but can effectively prevent state tampering.

Lesson 2: Optimize Precision Calculation Logic Functions like _pow_down that involve extreme ratio calculations must incorporate protective mechanisms. Consider using more precise numerical libraries, adding intermediate overflow checks, or employing different algorithms in extreme scenarios. The Balancer protocol has previously suffered attacks due to similar precision issues, serving as a warning.

Lesson 3: Establish Multi-Dimensional Anomaly Monitoring Build real-time monitoring systems to alert on:

• High-frequency unilateral liquidity injections causing extreme imbalance
• Abnormal exchange rate fluctuations and automatic destructions
• Zero-amount transactions and operations with tiny values
• Rapid short-term fluctuations in pool Total Supply

For the entire DeFi ecosystem, this incident proves a profound truth: security does not rely on fixing a single vulnerability but on systemic prevention of multiple flaw combinations. Protocol developers need to review code logic from a holistic perspective, leaving no seemingly “harmless” design flaw unexamined. Meanwhile, the industry should strengthen on-chain tracking and freezing of attacker funds, through DEX blacklists, OTC risk controls, and other measures to enhance overall security. The Yearn hack is not the end but a catalyst for the entire industry’s security evolution.