Yearn Finance (yETH LST stableswap pool + yETH-WETH Curve pool): Invariant corruption via remove_liquidity(0) + update_rates() calls → Newton-Raphson arithmetic underflow → 235 trillion yETH minted from dust deposit → single-asset drain

Summary #

Yearn Finance (yETH LST stableswap pool + yETH-WETH Curve pool) suffered a Yield Aggregator / LST Stableswap (legacy / abandoned pool) on 2023-11-30, resulting in a loss of approximately $9M.

What happened #

A forgotten Yearn pool nobody maintained minted 235 trillion yETH tokens from a 12-wei deposit, draining $9M through a Newton-Raphson arithmetic underflow triggered by weeks of invariant corruption.

Linked factors #

• RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited-at-time-of-exploit (audits were historical; no ongoing review of this abandoned pool)]
• RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — abandoned legacy code, no recent changes] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — abandoned legacy code, no recent changes]
• RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
• RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Heavy Tornado Cash activity + unusual LST token movements across Yearn, Rocket Pool, Origin, and Dinero noted by Togbe minutes before the ex...]
• RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: N — custom stableswap math, not a fork of standard Curve]
• RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — abandoned legacy code, no recent changes]