![0xKaden's tweet photo. yETH Exploit Deep Dive
After spending some time exploring the recent yETH exploit, I quickly realized that it's easily one of the most sophisticated attacks I've ever seen. In fact, it was so complicated that every writeup I read misunderstood at least some part of the attack. This complexity provides for some serious alpha to developers and security researchers who can thoroughly understand the attack, so don't just bookmark this, let's dive in.
Hybrid AMM Curve
To understand this exploit, we first need to understand the underlying mechanism of the protocol. The yETH pool uses an invariant which is a hybrid between constant product and constant sum. If you're familiar with the inner workings of Uniswap, you should be familiar with the constant product behavior, essentially it just adjusts the price according to the reserves. Whereas constant sum results in a constant price between the tokens, regardless of reserves. The yETH hybrid curve behaves like a constant sum when the token reserves are balanced, keeping the price constant, and behaves like a constant product curve when the reserves are imbalanced. This behavior is valuable for pools of assets which have the same value due to the fact that the price is much less sensitive to reserve changes.
Below we have a graph [1] of these different curves. Red: constant product, green: constant sum, blue: hybrid used by the yETH pool.
The First Bug: Breaking The Invariant
Let's zoom in on the `_calc_supply` function. This function uses an iterative approximation to converge to a new supply and constant product term at each iteration, ending the loop once sufficient precision is achieved.
The constant product term (r) is recomputed at each iteration as the current value multiplied by the new supply, divided by the previous supply (`r * sp / s`). Effectively, it scales at the same rate as the supply.
The bug: if the decrease in supply of any given iteration of the solver is large enough, the constant product term can round down to zero. There is no revert to handle this case and once it occurs, each following iteration will remain zero since `0 * x / y = 0`.
Now that we have a zero constant product term, we no longer have a hybrid constant product/constant sum curve, instead we effectively just have a constant sum curve. To understand why this is a problem we have to go back and look at the curves. In the below graph [2], we have the intended curve (red) and the constant sum curve (purple) which is the result of the zero product term.
As we adjust the supply (see desmos graph [2] linked in reply) of these two curves (D), we can see that the reserves increase by the same amount in the middle, where the reserves are balanced, but by different amounts on the outside, where the reserves are imbalanced. This means that as we add/remove liquidity with imbalanced reserves, these two curves will mint/burn a different amount of LP tokens.
Understanding this behavior, the attacker systemically switched between these curves by triggering the zero constant product term when adding liquidity with unbalanced reserves to receive more LP tokens than intended. They then resolved the constant product term back to normal during liquidity removal to receive the correct amount of tokens provided for burning the inflated amount of LP tokens they received. This allowed the attacker to withdraw more tokens than they deposited, which they repeated until the pool was drained of its reserves for a profit of about ~$8m.
The Second Bug: Unexpected Underflow
You thought we were done? Nope, there's yet another bug that the attacker exploited to steal even more funds after already completely draining the pool.
Now that the pool is empty, and variables used for accounting are in such an unusual state, there is a significant side effect which occurs when we attempt to deposit certain dust amounts. Again, looking in the `_calc_supply` function, when we iteratively recompute the supply, we compute it with the following line (`(l - s * r) / d`):
Since we use unchecked math here and the accounting is in a highly irregular state, it's unexpectedly possible for `s * r > l`, resulting in the computed supply underflowing. The attacker exploits this underflow by depositing the following amounts: `[1, 1, 1, 1, 1, 1, 1, 9]`, resulting in them being minted `~2.6*10^56` yETH LP tokens. The attacker then makes a swap on the curve yETH/WETH pool, draining the pool of its WETH, for a profit of ~$1m.
Conclusion
Not only did this attack include a highly sophisticated AMM invariant exploit, but it also exploited an underflow which is likely only possible due to the existence of the invariant exploit. This combination of exploits allowed the attacker to not only drain the yETH pool, but also another pool containing the LP token. Both attacks, and even tornado cash deposits were all made in the same transaction, preventing any chance at rescue.
In my research, every writeup I came across misunderstood this attack in some way. Clearly, it's extremely rare to understand such a sophisticated exploit, providing for some serious alpha to developers and security researchers to fully wrap their heads around this.](https://pbs.twimg.com/media/G7V-9O0b0AEdU36.png)
![0xKaden's tweet photo. yETH Exploit Deep Dive
After spending some time exploring the recent yETH exploit, I quickly realized that it's easily one of the most sophisticated attacks I've ever seen. In fact, it was so complicated that every writeup I read misunderstood at least some part of the attack. This complexity provides for some serious alpha to developers and security researchers who can thoroughly understand the attack, so don't just bookmark this, let's dive in.
Hybrid AMM Curve
To understand this exploit, we first need to understand the underlying mechanism of the protocol. The yETH pool uses an invariant which is a hybrid between constant product and constant sum. If you're familiar with the inner workings of Uniswap, you should be familiar with the constant product behavior, essentially it just adjusts the price according to the reserves. Whereas constant sum results in a constant price between the tokens, regardless of reserves. The yETH hybrid curve behaves like a constant sum when the token reserves are balanced, keeping the price constant, and behaves like a constant product curve when the reserves are imbalanced. This behavior is valuable for pools of assets which have the same value due to the fact that the price is much less sensitive to reserve changes.
Below we have a graph [1] of these different curves. Red: constant product, green: constant sum, blue: hybrid used by the yETH pool.
The First Bug: Breaking The Invariant
Let's zoom in on the `_calc_supply` function. This function uses an iterative approximation to converge to a new supply and constant product term at each iteration, ending the loop once sufficient precision is achieved.
The constant product term (r) is recomputed at each iteration as the current value multiplied by the new supply, divided by the previous supply (`r * sp / s`). Effectively, it scales at the same rate as the supply.
The bug: if the decrease in supply of any given iteration of the solver is large enough, the constant product term can round down to zero. There is no revert to handle this case and once it occurs, each following iteration will remain zero since `0 * x / y = 0`.
Now that we have a zero constant product term, we no longer have a hybrid constant product/constant sum curve, instead we effectively just have a constant sum curve. To understand why this is a problem we have to go back and look at the curves. In the below graph [2], we have the intended curve (red) and the constant sum curve (purple) which is the result of the zero product term.
As we adjust the supply (see desmos graph [2] linked in reply) of these two curves (D), we can see that the reserves increase by the same amount in the middle, where the reserves are balanced, but by different amounts on the outside, where the reserves are imbalanced. This means that as we add/remove liquidity with imbalanced reserves, these two curves will mint/burn a different amount of LP tokens.
Understanding this behavior, the attacker systemically switched between these curves by triggering the zero constant product term when adding liquidity with unbalanced reserves to receive more LP tokens than intended. They then resolved the constant product term back to normal during liquidity removal to receive the correct amount of tokens provided for burning the inflated amount of LP tokens they received. This allowed the attacker to withdraw more tokens than they deposited, which they repeated until the pool was drained of its reserves for a profit of about ~$8m.
The Second Bug: Unexpected Underflow
You thought we were done? Nope, there's yet another bug that the attacker exploited to steal even more funds after already completely draining the pool.
Now that the pool is empty, and variables used for accounting are in such an unusual state, there is a significant side effect which occurs when we attempt to deposit certain dust amounts. Again, looking in the `_calc_supply` function, when we iteratively recompute the supply, we compute it with the following line (`(l - s * r) / d`):
Since we use unchecked math here and the accounting is in a highly irregular state, it's unexpectedly possible for `s * r > l`, resulting in the computed supply underflowing. The attacker exploits this underflow by depositing the following amounts: `[1, 1, 1, 1, 1, 1, 1, 9]`, resulting in them being minted `~2.6*10^56` yETH LP tokens. The attacker then makes a swap on the curve yETH/WETH pool, draining the pool of its WETH, for a profit of ~$1m.
Conclusion
Not only did this attack include a highly sophisticated AMM invariant exploit, but it also exploited an underflow which is likely only possible due to the existence of the invariant exploit. This combination of exploits allowed the attacker to not only drain the yETH pool, but also another pool containing the LP token. Both attacks, and even tornado cash deposits were all made in the same transaction, preventing any chance at rescue.
In my research, every writeup I came across misunderstood this attack in some way. Clearly, it's extremely rare to understand such a sophisticated exploit, providing for some serious alpha to developers and security researchers to fully wrap their heads around this.](https://pbs.twimg.com/media/G7V-uW8bsAAE--w.png)
![0xKaden's tweet photo. yETH Exploit Deep Dive
After spending some time exploring the recent yETH exploit, I quickly realized that it's easily one of the most sophisticated attacks I've ever seen. In fact, it was so complicated that every writeup I read misunderstood at least some part of the attack. This complexity provides for some serious alpha to developers and security researchers who can thoroughly understand the attack, so don't just bookmark this, let's dive in.
Hybrid AMM Curve
To understand this exploit, we first need to understand the underlying mechanism of the protocol. The yETH pool uses an invariant which is a hybrid between constant product and constant sum. If you're familiar with the inner workings of Uniswap, you should be familiar with the constant product behavior, essentially it just adjusts the price according to the reserves. Whereas constant sum results in a constant price between the tokens, regardless of reserves. The yETH hybrid curve behaves like a constant sum when the token reserves are balanced, keeping the price constant, and behaves like a constant product curve when the reserves are imbalanced. This behavior is valuable for pools of assets which have the same value due to the fact that the price is much less sensitive to reserve changes.
Below we have a graph [1] of these different curves. Red: constant product, green: constant sum, blue: hybrid used by the yETH pool.
The First Bug: Breaking The Invariant
Let's zoom in on the `_calc_supply` function. This function uses an iterative approximation to converge to a new supply and constant product term at each iteration, ending the loop once sufficient precision is achieved.
The constant product term (r) is recomputed at each iteration as the current value multiplied by the new supply, divided by the previous supply (`r * sp / s`). Effectively, it scales at the same rate as the supply.
The bug: if the decrease in supply of any given iteration of the solver is large enough, the constant product term can round down to zero. There is no revert to handle this case and once it occurs, each following iteration will remain zero since `0 * x / y = 0`.
Now that we have a zero constant product term, we no longer have a hybrid constant product/constant sum curve, instead we effectively just have a constant sum curve. To understand why this is a problem we have to go back and look at the curves. In the below graph [2], we have the intended curve (red) and the constant sum curve (purple) which is the result of the zero product term.
As we adjust the supply (see desmos graph [2] linked in reply) of these two curves (D), we can see that the reserves increase by the same amount in the middle, where the reserves are balanced, but by different amounts on the outside, where the reserves are imbalanced. This means that as we add/remove liquidity with imbalanced reserves, these two curves will mint/burn a different amount of LP tokens.
Understanding this behavior, the attacker systemically switched between these curves by triggering the zero constant product term when adding liquidity with unbalanced reserves to receive more LP tokens than intended. They then resolved the constant product term back to normal during liquidity removal to receive the correct amount of tokens provided for burning the inflated amount of LP tokens they received. This allowed the attacker to withdraw more tokens than they deposited, which they repeated until the pool was drained of its reserves for a profit of about ~$8m.
The Second Bug: Unexpected Underflow
You thought we were done? Nope, there's yet another bug that the attacker exploited to steal even more funds after already completely draining the pool.
Now that the pool is empty, and variables used for accounting are in such an unusual state, there is a significant side effect which occurs when we attempt to deposit certain dust amounts. Again, looking in the `_calc_supply` function, when we iteratively recompute the supply, we compute it with the following line (`(l - s * r) / d`):
Since we use unchecked math here and the accounting is in a highly irregular state, it's unexpectedly possible for `s * r > l`, resulting in the computed supply underflowing. The attacker exploits this underflow by depositing the following amounts: `[1, 1, 1, 1, 1, 1, 1, 9]`, resulting in them being minted `~2.6*10^56` yETH LP tokens. The attacker then makes a swap on the curve yETH/WETH pool, draining the pool of its WETH, for a profit of ~$1m.
Conclusion
Not only did this attack include a highly sophisticated AMM invariant exploit, but it also exploited an underflow which is likely only possible due to the existence of the invariant exploit. This combination of exploits allowed the attacker to not only drain the yETH pool, but also another pool containing the LP token. Both attacks, and even tornado cash deposits were all made in the same transaction, preventing any chance at rescue.
In my research, every writeup I came across misunderstood this attack in some way. Clearly, it's extremely rare to understand such a sophisticated exploit, providing for some serious alpha to developers and security researchers to fully wrap their heads around this.](https://pbs.twimg.com/media/G7V-KNcb0AA9XDy.png)
Olivia
Online
Kn0t
@0xknot
Security Researcher @getreconxyz
EVM
Joined November 2008
420 Following
164 Followers
51 Posts
Here’s a full breakdown for the latest Release of the Recon Extension.
This release adds the Recon Fuzzer with an Echidna compatibility mode which makes it generate a corpus both can use.
We also shipped one click canaries and the ability to ignore properties in the repro generation.
What should we ship next?
@getreconxyz new release is out, time to reconup
If you believe all projects should fuzz please share this around
Don’t miss the chance
@GalloDaSballo has been my mentor for the past 1.5 years and genuinely one of the deepest minds in invariant testing. The amount of small tricks and edge case intuition you learn from him can literally save weeks
There are only 2 spots left for the invariant testing bootcamp
Starts next week
May 12, 2026
Apply for cohort 2 of Invariant Testing Bootcamp taught by @GalloDaSballo from the audit firm @getreconxyz
Did you know he's made over $500,000 in bug bounties?
You'll look forward to your classes.
https://t.co/niKSMcaKbA
Today we're celebrating half a million dollar paid to whitehats!
Invariant testing done properly makes a huge difference in audits.
And @aviggiano being one of the strongest fuzzing engineers out there makes this especially interesting.
Excited to teach this with @RareSkills_io 🙌
5 weeks on Invariant Testing with @getreconxyz
If you already understand ERC-4626 and common Solidity bugs, this is for you.
Q1 2026
yETH Exploit Deep Dive
After spending some time exploring the recent yETH exploit, I quickly realized that it's easily one of the most sophisticated attacks I've ever seen. In fact, it was so complicated that every writeup I read misunderstood at least some part of the attack. This complexity provides for some serious alpha to developers and security researchers who can thoroughly understand the attack, so don't just bookmark this, let's dive in.
Hybrid AMM Curve
To understand this exploit, we first need to understand the underlying mechanism of the protocol. The yETH pool uses an invariant which is a hybrid between constant product and constant sum. If you're familiar with the inner workings of Uniswap, you should be familiar with the constant product behavior, essentially it just adjusts the price according to the reserves. Whereas constant sum results in a constant price between the tokens, regardless of reserves. The yETH hybrid curve behaves like a constant sum when the token reserves are balanced, keeping the price constant, and behaves like a constant product curve when the reserves are imbalanced. This behavior is valuable for pools of assets which have the same value due to the fact that the price is much less sensitive to reserve changes.
Below we have a graph [1] of these different curves. Red: constant product, green: constant sum, blue: hybrid used by the yETH pool.
The First Bug: Breaking The Invariant
Let's zoom in on the `_calc_supply` function. This function uses an iterative approximation to converge to a new supply and constant product term at each iteration, ending the loop once sufficient precision is achieved.
The constant product term (r) is recomputed at each iteration as the current value multiplied by the new supply, divided by the previous supply (`r * sp / s`). Effectively, it scales at the same rate as the supply.
The bug: if the decrease in supply of any given iteration of the solver is large enough, the constant product term can round down to zero. There is no revert to handle this case and once it occurs, each following iteration will remain zero since `0 * x / y = 0`.
Now that we have a zero constant product term, we no longer have a hybrid constant product/constant sum curve, instead we effectively just have a constant sum curve. To understand why this is a problem we have to go back and look at the curves. In the below graph [2], we have the intended curve (red) and the constant sum curve (purple) which is the result of the zero product term.
As we adjust the supply (see desmos graph [2] linked in reply) of these two curves (D), we can see that the reserves increase by the same amount in the middle, where the reserves are balanced, but by different amounts on the outside, where the reserves are imbalanced. This means that as we add/remove liquidity with imbalanced reserves, these two curves will mint/burn a different amount of LP tokens.
Understanding this behavior, the attacker systemically switched between these curves by triggering the zero constant product term when adding liquidity with unbalanced reserves to receive more LP tokens than intended. They then resolved the constant product term back to normal during liquidity removal to receive the correct amount of tokens provided for burning the inflated amount of LP tokens they received. This allowed the attacker to withdraw more tokens than they deposited, which they repeated until the pool was drained of its reserves for a profit of about ~$8m.
The Second Bug: Unexpected Underflow
You thought we were done? Nope, there's yet another bug that the attacker exploited to steal even more funds after already completely draining the pool.
Now that the pool is empty, and variables used for accounting are in such an unusual state, there is a significant side effect which occurs when we attempt to deposit certain dust amounts. Again, looking in the `_calc_supply` function, when we iteratively recompute the supply, we compute it with the following line (`(l - s * r) / d`):
Since we use unchecked math here and the accounting is in a highly irregular state, it's unexpectedly possible for `s * r > l`, resulting in the computed supply underflowing. The attacker exploits this underflow by depositing the following amounts: `[1, 1, 1, 1, 1, 1, 1, 9]`, resulting in them being minted `~2.6*10^56` yETH LP tokens. The attacker then makes a swap on the curve yETH/WETH pool, draining the pool of its WETH, for a profit of ~$1m.
Conclusion
Not only did this attack include a highly sophisticated AMM invariant exploit, but it also exploited an underflow which is likely only possible due to the existence of the invariant exploit. This combination of exploits allowed the attacker to not only drain the yETH pool, but also another pool containing the LP token. Both attacks, and even tornado cash deposits were all made in the same transaction, preventing any chance at rescue.
In my research, every writeup I came across misunderstood this attack in some way. Clearly, it's extremely rare to understand such a sophisticated exploit, providing for some serious alpha to developers and security researchers to fully wrap their heads around this.
![0xKaden's tweet photo. yETH Exploit Deep Dive
After spending some time exploring the recent yETH exploit, I quickly realized that it's easily one of the most sophisticated attacks I've ever seen. In fact, it was so complicated that every writeup I read misunderstood at least some part of the attack. This complexity provides for some serious alpha to developers and security researchers who can thoroughly understand the attack, so don't just bookmark this, let's dive in.
Hybrid AMM Curve
To understand this exploit, we first need to understand the underlying mechanism of the protocol. The yETH pool uses an invariant which is a hybrid between constant product and constant sum. If you're familiar with the inner workings of Uniswap, you should be familiar with the constant product behavior, essentially it just adjusts the price according to the reserves. Whereas constant sum results in a constant price between the tokens, regardless of reserves. The yETH hybrid curve behaves like a constant sum when the token reserves are balanced, keeping the price constant, and behaves like a constant product curve when the reserves are imbalanced. This behavior is valuable for pools of assets which have the same value due to the fact that the price is much less sensitive to reserve changes.
Below we have a graph [1] of these different curves. Red: constant product, green: constant sum, blue: hybrid used by the yETH pool.
The First Bug: Breaking The Invariant
Let's zoom in on the `_calc_supply` function. This function uses an iterative approximation to converge to a new supply and constant product term at each iteration, ending the loop once sufficient precision is achieved.
The constant product term (r) is recomputed at each iteration as the current value multiplied by the new supply, divided by the previous supply (`r * sp / s`). Effectively, it scales at the same rate as the supply.
The bug: if the decrease in supply of any given iteration of the solver is large enough, the constant product term can round down to zero. There is no revert to handle this case and once it occurs, each following iteration will remain zero since `0 * x / y = 0`.
Now that we have a zero constant product term, we no longer have a hybrid constant product/constant sum curve, instead we effectively just have a constant sum curve. To understand why this is a problem we have to go back and look at the curves. In the below graph [2], we have the intended curve (red) and the constant sum curve (purple) which is the result of the zero product term.
As we adjust the supply (see desmos graph [2] linked in reply) of these two curves (D), we can see that the reserves increase by the same amount in the middle, where the reserves are balanced, but by different amounts on the outside, where the reserves are imbalanced. This means that as we add/remove liquidity with imbalanced reserves, these two curves will mint/burn a different amount of LP tokens.
Understanding this behavior, the attacker systemically switched between these curves by triggering the zero constant product term when adding liquidity with unbalanced reserves to receive more LP tokens than intended. They then resolved the constant product term back to normal during liquidity removal to receive the correct amount of tokens provided for burning the inflated amount of LP tokens they received. This allowed the attacker to withdraw more tokens than they deposited, which they repeated until the pool was drained of its reserves for a profit of about ~$8m.
The Second Bug: Unexpected Underflow
You thought we were done? Nope, there's yet another bug that the attacker exploited to steal even more funds after already completely draining the pool.
Now that the pool is empty, and variables used for accounting are in such an unusual state, there is a significant side effect which occurs when we attempt to deposit certain dust amounts. Again, looking in the `_calc_supply` function, when we iteratively recompute the supply, we compute it with the following line (`(l - s * r) / d`):
Since we use unchecked math here and the accounting is in a highly irregular state, it's unexpectedly possible for `s * r > l`, resulting in the computed supply underflowing. The attacker exploits this underflow by depositing the following amounts: `[1, 1, 1, 1, 1, 1, 1, 9]`, resulting in them being minted `~2.6*10^56` yETH LP tokens. The attacker then makes a swap on the curve yETH/WETH pool, draining the pool of its WETH, for a profit of ~$1m.
Conclusion
Not only did this attack include a highly sophisticated AMM invariant exploit, but it also exploited an underflow which is likely only possible due to the existence of the invariant exploit. This combination of exploits allowed the attacker to not only drain the yETH pool, but also another pool containing the LP token. Both attacks, and even tornado cash deposits were all made in the same transaction, preventing any chance at rescue.
In my research, every writeup I came across misunderstood this attack in some way. Clearly, it's extremely rare to understand such a sophisticated exploit, providing for some serious alpha to developers and security researchers to fully wrap their heads around this.](https://pbs.twimg.com/media/G7V_LG3bcAAmYBP.png)
Recon V2 is out!
- Run unlimited fuzzing jobs with Echidna, Medusa, Halmos and Foundry
- Trigger a job on Commit, onchain event, via the UI, API or MCP
- Access AI Powered Workflows for Invariant Testing and Security
Just 9 days left on our Quadratic Funding fundraiser, so far only 9 people contributed, every contribution multiplies each dollar donated exponentially.
Our goal is to make Invariant Testing the default for every Solidity project and your support of even $1 makes a huge difference!
Here's our latest publicly announced Invariant Testing Engagement Customers
Foundry v1.3 has a new release candidate out 🎉
Try it out now:
$ foundryup --update
$ foundryup -i v1.3.0-rc2
https://t.co/TUVWwLQ3u5
Foundry 1.3.0 will have Stateful Invariant Tests!
Try it out today with Create Chimera App!
foundryup --update
foundryup -i v1.3.0-rc2
As @GalloDaSballo once said optimization mode is one of the most underutilized features of echidna.
It can be kinda difficult to understand why it's useful for security research though so we added this section to the @getreconxyz book to explain how you can use it to escalate vulnerabilities that you've discovered with broken properties.
You're probably already using cursor but if you add the @getreconxyz book as a custom documentation context you can get all our best practices and tips, just one prompt away.
Even though I've written a large part of the book I still find myself asking questions to it through cursor because it's so much easier to navigate than any search will ever be.
It's also great for asking questions about a new project when you're starting a new engagement as well.
@zigtur @GalloDaSballo Let’s make him dream too 😎🚀 @GalloDaSballo, time to catch Lamborghini FOMO! 😂
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.6M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.2M followers
Taylor Swift
@taylorswift13
81M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.1M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.8M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.3M followers