Home > Quick > Body

SlowMist: The root cause of the yearn attack is that there are insecure mathematical operations in the Yearn yETH pool contract

clock
2025-12-05 02:53:56
According to SlowMist monitoring, on December 1st, the decentralized financial protocol yearn was hacked, causing about $9 million in losses. The SlowMist security team analyzed the incident and confirmed the root cause as follows:
The vulnerability stems from the logic of the _calc_supply function used to calculate the supply in the Yearn yETH Weighted Stableswap Pool contract. Due to an insecure mathematical operation, the function allows overflow and rounding errors during the calculation process, resulting in a significant deviation in the product calculation of the new supply and the virtual balance. An attacker could exploit this flaw to manipulate liquidity to a specific value and overmint Liquidity Pool (LP) tokens for illegal profit.
It is recommended to strengthen boundary scenario testing and adopt a security-verified arithmetic operation mechanism to prevent such high-risk vulnerabilities in similar protocols.
Disclaimer:
1. The information provided does not constitute investment advice. Investors should make independent decisions and bear all risks themselves.
2. The copyright of this content belongs to the original author. The views expressed herein are solely those of the author and do not represent the stance or position of this website.
New Tab Page - Desk3 | Plugin
Stay ahead of the game in the cryptocurrency space.