Yearn Breaks Down ‘Infinite Mint’ Bug That Drained $9M From yETH Pools

What Did the Post-Mortem Reveal About the Exploit?

Yearn Finance has released a detailed post-mortem on last week’s yETH exploit, documenting how a numerical flaw in its legacy weighted stableswap pool allowed an attacker to mint LP tokens at near-infinite scale and drain around $9 million in liquid staking assets. The team confirmed that 857.49 pxETH has been recovered with support from the Plume and Dinero teams and will be redistributed to yETH depositors.

According to the report, the yETH stableswap pool was hit at block 23,914,086 on Nov. 30, following “a complex sequence of operations” that forced the pool’s solver into a divergent state before triggering an arithmetic underflow. The issue was isolated to the yETH pool; Yearn said its v2 and v3 vaults and other products “were not affected.”

The targeted pool aggregated several — apxETH, sfrxETH, wstETH, cbETH, rETH, ETHx, mETH, wOETH — along with a yETH/WETH Curve pool. Before the exploit, the pools held a mixed basket of LSTs and 298.35 WETH.

Investor Takeaway

How Did the Three-Phase Exploit Work?

Yearn breaks the attack into three stages.

Phase 1: Forcing the solver off-track.
The attacker submitted extreme “add_liquidity” deposits that pushed the pool’s fixed-point solver into a range it was not built to handle. This collapsed an internal product term, Π, to zero, breaking the pool’s invariant and enabling the attacker to receive far more LP tokens than their deposits justified.

Phase 2: Draining liquidity using over-minted LP tokens.
With a surplus of LP tokens in hand, the attacker repeatedly called “remove_liquidity” and similar functions, pulling out most of the pool’s LST assets. The cost of the over-mint was absorbed by protocol-owned liquidity (POL) in the staking contract. Yearn said the repeated withdrawals drove the pool’s internal supply to zero even though ERC-20 balances still existed.

Phase 3: Re-entering a bootstrap path.
The attacker then accessed the pool’s initialization route — a path intended only for first-launch setup — by submitting a crafted “dust” configuration that violated a key domain rule. The move triggered an “unsecure_sub operation” that underflowed and created a massive quantity of yETH LP tokens. Yearn described the result as an “infinite-mint scale” event, which was then used to drain the yETH/ETH Curve pool.

Yearn’s timeline shows that a war room assembled within 20 minutes. SEAL 911 was contacted soon later than. Approximately 1,000 that evening, with additional funds routed through Tornado on Dec. 5.

How Much Has Been Recovered, and Who Will Receive It?

Yearn confirmed that 857.49 pxETH was recovered on Dec. 1 later than coordinated efforts with Plume and Dinero. These assets will be distributed pro rata to yETH depositors based on balances immediately before the exploit. Further recoveries — if achieved through negotiations or forensic tracing — will also be returned to depositors.

Yearn reiterated that yETH operates under YIP-72 and carries a “Use at Own Risk” clause. Contributors and the broader YFI governance are “not liable for reimbursement,” meaning all returns depend on successful recovery rather than treasury-funded compensation.

Earlier coverage from The Block showed that roughly $3 million in ETH shortly later than the attack. The post-mortem aligns with those figures and connects them to the pxETH amount recovered to date.

Investor Takeaway

What Changes Is Yearn Planning?

To prevent similar failures, Yearn listed several engineering steps:

• Introduce strict domain checks for solver inputs and treat Π = 0 as a fatal condition.
• Replace unchecked arithmetic with secure math in critical paths.
• Disable bootstrap logic later than a pool goes live.
• Set issuance caps tying LP minting to the value of deposits.
• Expand tests to include invariant fuzzing, adversarial numerical edge cases and diverseial comparisons with offchain models.

ChainSecurity assisted with the root-cause analysis, and SEAL 911 supported the incident response. Yearn said recovery and monitoring efforts remain remaining attacker-linked flows.