On November 30, 2025, Yearn’s yETH weighted stableswap pool — an LST aggregator for assets like apxETH, sfrxETH, and wstETH — was hit by a major exploit. A flaw in the pool’s fixed-point solver allowed an attacker to mint excess yETH LP tokens, break the invariant, and trigger an arithmetic underflow. By the end of the attack, nearly $9 million in LSTs and WETH had been drained.
While the exploit was severe, its blast radius remained contained. The issue was isolated to the yETH ecosystem and its Curve integration. Yearn v2/v3 vaults and other core products were not affected. The team responded quickly, forming a war room and coordinating with ecosystem partners to recover 857.49 pxETH (~$2.33M), though the remaining funds were laundered through Tornado Cash.
How the Attack Worked?
The exploit was executed in a single transaction, but involved a carefully engineered three-phase sequence:
1. Breaking the Invariant
The attacker began by submitting highly imbalanced add_liquidity deposits. These extreme inputs forced the custom stableswap invariant into unstable territory. The Newton–Raphson solver, unable to handle the distorted values, started producing incorrect supply outputs—letting the attacker mint more LP tokens than they should have received.
2. Draining Liquidity
With the over-minted LP tokens in hand, the attacker initiated repeated remove_liquidity(0) calls. These temporarily restored a seemingly valid state but didn’t fix the inflated internal supply. Using this mismatch, the attacker drained LST reserves across multiple assets through single-asset withdrawals.
3. Abusing Initialization Logic
Once pool reserves reached near zero, the contract mistakenly reopened its bootstrap initialization path — a logic block meant only for deployment. A tiny dust deposit triggered an underflow during supply calculation, wrapping a negative number into an astronomically large positive value. The attacker minted 2.3 × 10⁵⁶ yETH and swapped a portion for 298 WETH before laundering the funds.
Root Cause Summary
The exploit stemmed from a mix of numerical instability, improper domain checks, and ungated initialization logic in the outdated yETH pool:
- Solver divergence due to imbalanced deposits
- Asymmetric invariant calculations during deposits vs. withdrawals
- Ability to reach a prev_supply == 0 state despite existing POL
- Bootstrap logic not permanently disabled after launch
- Unsafe arithmetic (unsafe_sub) converting domain violations into underflows
Together, these flaws allowed the attacker to break the invariant, mint unlimited tokens, and extract nearly all liquidity.
This is just the short version.
To explore complete transaction flows, diagrams, root-cause math, and recovery details, check out our full analysis: Yearn’s $9M Invariant Solver Exploit
Response & Recovery
Yearn acted quickly — alerting users, activating a war room, and collaborating with Plume and Dinero. This resulted in the recovery of 857.49 pxETH, with more efforts ongoing. A full post-mortem was published outlining mitigations, including domain checks, safer arithmetic paths, and increased fuzzing coverage.
Top comments (0)