How did 9 million dollars disappear? A Complete Breakdown of the Yearn Exploit

YaelYael
AbbieAbbie
/Dec 5, 2025
How did 9 million dollars disappear? A Complete Breakdown of the Yearn Exploit

As markets cooled, many protocols slipped into a low-activity mode. Updates slowed, audits fell behind, and long-running code began to reveal risks that had been buried for years.
These weak points quickly became targets, and on-chain attacks started to spike.
In November 2025 alone, more than 180 million dollars were stolen.

On December 1, the long-standing DeFi project Yearn became the next victim.
Its yETH pool was drained for roughly 9 million dollars.

This article explains the entire incident in plain language: What exactly did the hacker do?

1. Before we look at the exploit, let’s understand how LP tokens and pools work

If you are unfamiliar with LP tokens, liquidity, or AMM accounting, this section gives you the basics needed to understand the later steps.

Liquidity pools: everyone deposits assets into one shared vault

Think of the yETH pool as a large shared vault filled with different ETH liquid-staking tokens such as stETH, cbETH, rETH and wstETH.
The more people deposit, the deeper and more stable the pool becomes.

When you deposit assets, the system issues LP tokens.
LP tokens represent your share of the pool.
You earn returns based on your share, and you can redeem them later for your portion of the underlying assets.

How does the pool decide how many LP tokens to give you?

Because each asset has different value, the pool must answer one question:

“How much is your deposit worth relative to the entire pool?”

This calculation is handled by Yearn’s core function called calc_supply, which computes the new LP supply and a key metric called Π (vb_prod).
It converts everything into a unified value and performs several mathematical steps.
If the math is correct, the pool stays healthy.
If the math breaks, the entire system becomes vulnerable.

Σ and Π: two metrics that keep the pool balanced

The pool tracks two internal values:

Σ: the sum of all virtual balances, representing the total size of the pool
Π: the product of all virtual balances, representing how balanced the pool is

Remember one idea:Π is the value that keeps the AMM curve functioning normally.

If Π becomes incorrect, the pool misprices assets.
If Π becomes zero, the AMM essentially loses its ability to understand value.

The hacker’s goal was to force Π to become zero.

2. How the hacker pushed Yearn toward collapse

Step 1: Make the pool enter a fragile numerical state

The attacker first borrowed a large amount of LSTs using flash loans.
Then they performed a series of normal-looking actions:

Refreshing exchange rates
Adding a small amount of liquidity
Removing a small amount of liquidity

None of these actions were harmful by themselves, but together they pushed calc_supply into a very fragile numerical range where small changes could flip the function into incorrect behavior.

Step 2: Forcing calc_supply into an error path where Π becomes zero

Inside calc_supply there is a critical expression:

Π' = Π multiplied by (s' divided by s) raised to the power of eight

The attacker engineered the pool so that s' became much smaller than s.

When s' is tiny, the ratio s' divided by s becomes extremely close to zero.

Raising this ratio to the eighth power rounds it down to zero.

So Π' ends up as zero, since it is multiplied by zero.

Π becomes zero. The AMM curve effectively dies

At this point, the pool no longer evaluates asset relationships correctly.

Step 3: With Π equal to zero, the attacker begins minting LP out of thin air

Once Π becomes zero, calc_supply collapses into a simple linear model.
When the attacker deposits one single asset, the system severely overestimates its value and mints an enormous amount of LP tokens in return.

The attacker can now:

Deposit a small amount of real assets
Receive a massive amount of inflated LP tokens

Step 4: Redeeming fake LP for real assets until the pool is emptied

The attacker now holds LP tokens worth far more than they should be.
When redeeming LP:The contract returns real ETH and LSTs based on LP ratio

The pool has no idea that the LP supply is fake, so every redemption removed actual ETH and LSTs from the pool. Each round tightened the drain, and a few repetitions were enough to strip the pool of most of its assets.

Step 5: After the pool is empty, the attacker performs a final dust-level mint

Once the pool reached:

Σ equals zero
Π equals zero
D equals zero
calc_supply should ideally stop working, but Yearn had no such protection.

The attacker deposited a microscopic amount of assets, almost at the dust level.

Because calc_supply used unsafe_sub and unsafe_mul without overflow checks, the key calculation underflowed into a massive number, roughly 2.6 × 10^56. The system treated this as valid and minted the entire amount to the attacker, marking the final stage of the exploit.

3. Why are these mathematical exploits becoming more common? 

This sort of failure did not begin with Yearn.

On May 22, 2025, the biggest DEX on Sui, Cetus, lost 223 million dollars.

Cetus used a custom shift-left check for overflow, but the threshold constant was incorrect.A value that should have triggered overflow was accepted as valid.The attacker turned a deposit of a single token into an enormous liquidity position and drained multiple pools.

The underlying pattern is the same as the Yearn exploit. A critical mathematical component lacked protection against extreme inputs, the attacker pushed the system into those extreme conditions, the calculations collapsed, and the pool was drained as a result.

These attacks do not exploit permissions. They exploit mathematics.

4. How protocols can avoid becoming the next Yearn

Across cases like Yearn and Cetus, several common lessons appear.

Mathematical functions must be tested under extreme conditions

Pay special attention to:

Values approaching zero
Exponentiation, especially when the exponent is four or higher
Very large or very small supply-to-balance ratios

Both Yearn and Cetus failed due to untested extreme values.

Never use arithmetic functions without safety checks

Leaving even one unchecked mathematical operation is enough to destroy an entire protocol.

Yearn used unsafe_sub, which caused underflow and produced a supply of 10^56.

Cetus used a faulty overflow check, allowing infinite liquidity.

One unchecked line of math can collapse a billion-dollar system.

LP minting must include a maximum cap

A simple rule like the following blocks almost all mathematical exploits:

Minted LP cannot exceed the deposited value multiplied by a reasonable cap

Even a cap of two or three would have prevented both incidents.

The biggest threat to DeFi is not the creativity of hackers.
It is the blind trust that protocols place in their own mathematical assumptions.

As systems grow more complex and more composable, boundary-case and math-driven exploits will only become more common.

Before the next attack arrives, every protocol needs to ask itself:

Is your core mechanism a real line of defense, or only the illusion of one?

Secure Your Crypto Journey with OneKey

View details for Shop OneKeyShop OneKey

Shop OneKey

The world's most advanced hardware wallet.

View details for Download AppDownload App

Download App

Scam alerts. All coins supported.

View details for OneKey SifuOneKey Sifu

OneKey Sifu

Crypto Clarity—One Call Away.

Keep Reading