Full Report
Yearn got hacked for a third time in its long history. The author of this post dove into how the exploit works and explains it. It's important to understand what's going on and not just bookmark it. The yETH uses a hybrid AAM type. It acts as constant sum when the tokens are balanced, to keep prices stable and constant product as they get further out. The article shows a good graph of this. The function _calc_supply() is used for generating the values of the curve. Notably, it's figuring out what the supply is from the constant-product and constant sum values. This is done with an iterative approximation to converge to a new supply. The constant product term r is recomputed each iterate as the current value multiples by the new supply and divided by the previous supply. The goal is for the smoothness of the curve to get better over as more tokens are put into the pool. So, what's the vulnerability? If the decrease in the supply of an iteration is large enough, the the constant product term can round down to zero. Once this happens, it's 0 for the rest of the loop and poisons all value that it touches. Effectively, this creates a zero constant product term with a constant sum curve ALL the time. This is fine in the middle but is real bad on the edges because we are supposed to use the constant-product formula. The attack works as follows: Perform swap that will trigger the zero constant product term. Use this to receive more LP tokens from the pool than intended with the unbalanced reserves. Fix the constant product term back to the original during liquidity removal. Withdraw tokens. These will now be more than what you started with. Do it again and again... There's actually a second bug in this code that allowed them to steal even more funds. When calculating the value sp, there are several unsafe math functions being used; this means that integer overflow protections are not enabled. In the math (l - s * r) / d it's possible to make s*r larger than l to cause an integer overflow. This mints a crazy amount of LP tokens, which they use to steal even more money. It should be noted that this is only possible to do because of the first vulnerability above. The code appears to be a completely isolated product. Yearn v2 and v3 share zero code with yETH. This was an older product with millions still sitting in it. It's interesting how this occurred. Great articles describing the bug and the situation surrounding it!
Analysis Summary
# Incident Report: yETH Hybrid AMM Invariant Exploit
## Executive Summary
The Yearn Finance yETH protocol was targeted in a sophisticated dual-stage exploit resulting in a total loss of approximately $14 million. The attacker leveraged a rounding error in the iterative supply calculation of a hybrid AMM curve to break the protocol's invariant, followed by an integer underflow to mint near-infinite LP tokens. The attack was executed in a flash-loan style single transaction, immediately moving funds to Tornado Cash.
## Incident Details
- **Discovery Date:** December 4, 2025 (Date of public deep dive)
- **Incident Date:** Q4 2025
- **Affected Organization:** Yearn Finance (specifically the yETH product)
- **Sector:** Decentralized Finance (DeFi)
- **Geography:** Global / Ethereum Blockchain
## Timeline of Events
### Initial Access
- **Date/Time:** Identified as a single atomic transaction.
- **Vector:** Exploitation of the smart contract's `_calc_supply` function logic.
- **Details:** The attacker utilized the precision loss in the iterative approximation solver used to determine the supply of the yETH hybrid curve.
### Lateral Movement
- **Mechanism:** Not traditional network movement; the attacker moved from exploiting the yETH pool to draining the yETH/WETH liquidity pool by utilizing inflated LP tokens.
### Data Exfiltration/Impact
- **Assets Stolen:** ~$8 million from the initial invariant exploit and ~$1 million from the WETH pool drainage (Total ~$9M - $14M based on combined reports).
- **Technique:** Automated swaps and liquidity removal powered by the logic bugs.
### Detection & Response
- **Discovery:** Post-incident analysis by security researchers (e.g., kaden.eth) and on-chain monitoring.
- **Response actions taken:** Yearn Finance contributors isolated the product; however, the attack was atomic (same-block), rendering real-time rescue impossible.
## Attack Methodology
- **Initial Access:** Smart contract vulnerability exploitation (Logic Error).
- **Persistence:** N/A (Atomic transaction).
- **Privilege Escalation:** By forcing the constant product term `r` to zero, the attacker effectively gained "infinite" slippage advantage.
- **Defense Evasion:** Execution of all steps (exploit, drain, and mixing via Tornado Cash) within a single transaction to bypass reactive security bots.
- **Discovery:** Reconnaissance of the `_calc_supply` iterative solver and identifying "unchecked" math blocks.
- **Impact:**
1. **Invariant Break:** Triggered a rounding error where `r` (constant product term) becomes 0, turning a hybrid curve into a constant sum curve at the edges.
2. **Integer Underflow:** Exploited `(l - s * r) / d` in an `unchecked` block where `s * r > l`, resulting in a massive LP token minting.
## Impact Assessment
- **Financial:** Total loss of approximately **$9 million USD** (per specific article figures).
- **Data Breach:** None (non-custodial protocol).
- **Operational:** Complete depletion of the yETH pool reserves; product rendered defunct.
- **Reputational:** Third major hack in Yearn's history, though limited to an older, isolated product code.
## Indicators of Compromise
- **Behavioral indicators:**
- Multiple iterative calls to `_calc_supply` with specific imbalanced reserve ratios.
- Large minting of LP tokens following "dust" deposits of `[1, 1, 1, 1, 1, 1, 1, 9]`.
- Immediate transfers to Tornado Cash within the same transaction.
## Response Actions
- **Containment measures:** Yearn developers confirmed yETH was isolated; yV2 and yV3 vaults were unaffected as they share no code with the yETH product.
- **Recovery actions:** Community-led "post-mortem" and deep-dives to document the sophisticated math error for future protocol safety.
## Lessons Learned
- **Iterative Solvers:** Numerical methods in smart contracts must have strict "revert" conditions if variables (like the constant product term) reach zero or fail to converge.
- **Isolation:** The architectural decision to keep yETH code isolated from the main yVaults successfully prevented a total ecosystem collapse.
- **Rounding Hazards:** Rounding to zero in a multiplicative loop can "poison" all subsequent calculations.
## Recommendations
- **Unchecked Math:** Avoid `unchecked` blocks in complex financial formulas unless exhaustive formal verification is performed on all possible input ranges.
- **Invariant Checks:** Implement post-execution "sanity checks" to ensure the pool invariant has not moved outside of expected bounds in a way that favors the user disproportionately.
- **Formal Verification:** Use tools like Certora or hisol to mathematically prove that the constant product term `r` can never reach zero during iterative loops.