Threat Research

The $9M yETH Exploit: How 16 Wei Became Infinite Tokens

Checkpoint
The M yETH Exploit: How 16 Wei Became Infinite Tokens

Check Point Research disclosed that on November 30, 2025 a critical exploit against Yearn Finance’s yETH pool on Ethereum allowed an attacker to mint 235 septillion yETH by depositing just 16 wei, resulting in roughly $9 million stolen. The root cause was a cached storage bug where packed_vbs[] residual values were not reset when supply hit zero, enabling a capital‑efficient state‑poisoning exploit; #YearnFinance #yETH

Keypoints

  • The exploit occurred on November 30, 2025 and drained about $9 million from Yearn Finance’s yETH pool.
  • The attacker minted 235 septillion yETH tokens after depositing only 16 wei by abusing stale cached virtual balances (packed_vbs[]).
  • The vulnerability stemmed from packed_vbs[] not being explicitly reset when all LP tokens were burned and supply became zero.
  • The attack used flash loans from Balancer and Aave, repeated deposit/withdraw cycles to poison state, a final full withdrawal to set supply=0, and tiny deposits across tokens to trigger incorrect minting.
  • Stolen assets (sfrxETH, wstETH, ETHx, cbETH, rETH, apxETH, wOETH, mETH) were swapped for ETH via DEXes (Balancer, Uniswap V3), flash loans were repaid, and funds were partially laundered through Tornado Cash.
  • Mitigation recommendations include explicit state resets on full withdrawals, transaction-sequence simulation, runtime protocol-aware monitoring, and blocking abnormal minting/drain patterns.

MITRE Techniques

  • No MITRE ATT&CK techniques are explicitly mentioned in the article.

Indicators of Compromise

  • [Token/Asset Names ] assets involved in the exploit and swaps – wstETH, rETH, and other LSDs like cbETH (used in flash loans, deposits, and final extraction)
  • [Protocol / Service Names ] DeFi platforms and services used by attacker – Balancer, Aave, Uniswap V3, and Tornado Cash (flash loans, swaps, and laundering)
  • [Contract State Artifacts ] on-chain state and transaction artifacts observed – packed_vbs[] residual values, self.supply = 0, and minting of 235 septillion yETH (triggered by 16 wei deposits)

Read more: https://research.checkpoint.com/2025/16-wei/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint