According to SlowMist monitoring, on December 1st, the decentralized financial protocol yearn was hacked, causing about $9 million in losses. The SlowMist security team analyzed the incident and confirmed the root cause as follows:
The vulnerability stems from the logic of the _calc_supply function used to calculate the supply in the Yearn yETH Weighted Stableswap Pool contract. Due to an insecure mathematical operation, the function allows overflow and rounding errors during the calculation process, resulting in a significant deviation in the product calculation of the new supply and the virtual balance. An attacker could exploit this flaw to manipulate liquidity to a specific value and overmint Liquidity Pool (LP) tokens for illegal profit.
It is recommended to strengthen boundary scenario testing and adopt a security-verified arithmetic operation mechanism to prevent such high-risk vulnerabilities in similar protocols.
SlowMist: The root cause of the yearn attack is that there are insecure mathematical operations in the Yearn yETH pool contract
2025-12-05 02:53:56
Disclaimer:
1. The information provided does not constitute investment advice. Investors should make independent decisions and bear all risks themselves.
2. The copyright of this content belongs to the original author. The views expressed herein are solely those of the author and do not represent the stance or position of this website.
Previous article:
Bitwise CIO: Strategy Won't Be Forced to Sell BitcoinNext article:
美银:日本央行将在12月加息至0.75% 随后每六个月加息一次