The math of crime: how a hacker managed to hack Yearn for $9 million

On December 1, 2025, one of the oldest decentralized services, Yearn Finance, which helps people earn money on their tokens, was attacked. As a result, the attacker was able to withdraw about $9 million. GetBlock AML Research publishes a full analysis of the attack.

What was the mistake?

The problem arose in how the Yearn system calculates the number of “shares” (LP tokens) that a user receives when they put assets into one of the pools — yETH. An incorrect mathematical formula was used within this pool. Due to rounding errors and number overflow, the program could calculate the result incorrectly.

An attacker exploited this vulnerability: he was able to “rig” the values so that the system gave him many more shares than he was entitled to. These shares can be exchanged for real tokens — that’s how he made his money.

What you need to know about the yETH pool

yETH is a pool where people deposit tokens related to Ethereum (different versions of “staked” ETH). When a user deposits such tokens into the pool, they receive a “share” in the form of yETH in return. These shares must accurately reflect the real value of what is in the pool.

The pool has:

• a virtual balance — a conditional “internal number” that the system uses to determine how much is in the pool;
• a variable D — the total amount of all shares that should exist in a properly balanced pool;
• If D increases, there are more shares; if it decreases, there are fewer shares. This logic should support fair exchange;
• The problem is that these values were calculated using a complex formula, in which an error occurred.

Formula for calculating shares.

How the attack unfolded

1. Taking out a flash loan

The attacker took out a short-term loan (flash loan) — a huge amount of various ETH tokens. He withdrew part of the ETH through the Tornado Cash anonymizer to cover his tracks, and then returned it to his malicious contract.

2. Substitution of internal pool values

He called a function that updates the internal coefficients (rates) for all pool tokens. This changed how the system evaluates the value of each asset. Immediately after that, he contributed 800 WETH and received the first LP tokens (yETH).

3. “Swinging” the pool: repeatedly adding and withdrawing liquidity

Then the key part of the attack began.

The attacker repeatedly withdrew all assets from the pool and then added back only some of them, not all. This created a distortion in the pool’s internal numbers — especially in the so-called “virtual balance.” During the repetitions, one of the internal variables (the virtual balance product) decreased to zero.

At this point, the system began to calculate as if there were a lot of assets in the pool — more than there actually were. This allowed the attacker to obtain too many LP tokens.

Why did the formula fail?

An incorrect subtraction occurred within the calculation function, which led to an overflow of numbers. Because of this, the value sharply “dropped” to a very small one — one that completely broke the calculations. Since the formula depended on dividing a large number by a small one, the final result grew hundreds of thousands of times.

All this led to the attacker receiving a huge amount of LP tokens that he should not have received.

Restoring normal values

After inflating his virtual balance, the attacker used a clever trick: he called the coefficient update function for one of the tokens in order to return the pool variables to their normal state. But the incorrect LP tokens he had received earlier did not disappear — and now they could be exchanged for real funds.

Withdrawal of assets

The attacker moved his tokens back and forth several times until he completely emptied the pool. After the final operation, the pool was left with zeros: zero balances, zero value, zero share amounts.

Adding “dust” and the final scam

When the pool was completely empty, the attacker added a symbolic amount of tokens (literally “dust”) to it. Since there were no other assets in the pool, the system decided that all tokens belonged to him and that a new huge amount of LP tokens should be created based on them.

Due to an overflow error at the time of calculation, the system “created” a token amount of about 2.354e56 — a fantastic number. The attacker received these tokens for himself.

Conversion to real money

He then exchanged yETH for real ETH tokens and other assets, repaid the flash loan, and took the net profit.

Initially, the hacker withdrew 1100 ETH ($3,4 million) to Tornado Cash. The remaining assets (approximately $6 million): 28 ETH, 48,96 cbETH, 203,55 rETH, 742,63 frxETH, 857,48 pxETH, and 167,67 stETH were sent to a storage address.

Withdrawal of part of the stolen funds to Tornado Cash. Visualization: MistTrack.

The Yearn team managed to recover about $2,4 million by destroying 857,48 pxETH stored in the hacker’s wallet. The coins were reissued and returned to Yearn.

Conclusion

The attack was made possible by errors in the complex formula used by Yearn to calculate the number of shares when adding liquidity:

• incorrect rounding,
• number overflow,
• lack of mandatory verification of calculation correctness.

The attacker artificially created conditions under which the program gave him a huge share of the fund. He then exchanged this “virtual share” for real assets and withdrew them.