Post

The M yETH Exploit - How 16 Wei Became Infinite Tokens

Posted
By ictsec.pl
1 min read

On November 30, 2025, Check Point Research detected a critical exploit targeting Yearn Finance’s yETH pool on Ethereum. Within hours, approximately a million was stolen from the protocol. The attacker achieved this by minting an astronomical number of tokens—235 septillion yETH (a 41-digit number)—while depositing only 16 wei, worth approximately bash.000000000000000045. This represents one of the most capital-efficient exploits in DeFi history.

The attack exploited a critical flaw in how the protocol manages its internal accounting. The yETH pool caches calculated values in storage variables called packed_vbs[] to save on gas costs. These variables store virtual balance information that tells the protocol how much value exists in the pool. The vulnerability emerged when the pool was completely emptied—while the main supply counter correctly reset to zero, the cached packed_vbs[] values were never cleared.

The attacker executed the exploit in three stages: First, they performed over ten deposit-and-withdrawal cycles using flash-loaned funds, deliberately leaving small residual values in the packed_vbs[] storage with each iteration. Second, they withdrew all remaining liquidity, bringing the supply to zero while the cached values remained populated with accumulated phantom balances. Finally, they deposited just 16 wei across eight tokens. The protocol detected that supply was zero and triggered its “first-ever deposit” logic, which read the cached values from storage. Instead of minting tokens based on the 16 wei actually deposited, the protocol read the accumulated phantom values and minted trillions upon trillions of LP tokens, giving the attacker control over the entire pool.

The developers correctly handled the normal flow:

  • Adding liquidity updates virtual balances
  • Removing liquidity decrements virtual balances
  • Swapping updates virtual balances

But they missed the edge case:

  • Removing ALL liquidity should RESET virtual balances to zero.

To read the complete article see: Checkpoint Research

ATTACK
EXPLOIT DEFI ETHEREUM
This post is licensed under CC BY 4.0 by the author.