An attacker minted 235 septillion yETH while depositing only 16 wei by exploiting unsafe math and stale cached values in Yearn's yETH pool, draining ~$9M.
On November 30-December 1, 2025, the Yearn yETH pool was exploited through unsafe math operations (unsafe_mul overflow, unsafe_sub underflow) combined with stale cached packed_vbs[] values in the _calc_supply function. The attacker minted 235 septillion yETH (a 41-digit number) while depositing only 16 wei, draining approximately $9M. Approximately $2.4M was recovered by burning pxETH held by the attacker.
No laundering activity observed. ~$2.4M recovered by burning pxETH held by the attacker; remaining funds unrecovered.
N/A