The $9 million exploit of Yearn Finance’s yETH Stableswap Pool on November 30, 2025, exposed a critical vulnerability class that every DeFi developer and auditor must understand: unsafe arithmetic in iterative supply calculations. With Ethereum trading at $2,800 and billions of dollars locked in AMM pools across the ecosystem, the ability to identify and remediate these vulnerabilities is an essential skill for anyone involved in DeFi protocol security. This advanced tutorial walks through the technical mechanics of stableswap pool vulnerabilities and provides a systematic methodology for auditing these high-value targets.
The Objective
This tutorial aims to equip experienced Solidity developers and security auditors with the knowledge and tools necessary to identify unsafe arithmetic vulnerabilities in stableswap pool implementations. By the end of this guide, you will understand how supply manipulation attacks work at the mathematical level, be able to recognize dangerous patterns in AMM code, and know how to implement proper safeguards against overflow and underflow conditions.
Prerequisites
This is an advanced tutorial. You should have a strong understanding of Solidity (version 0.7.x and earlier patterns), Automated Market Maker (AMM) mechanics, particularly the Stableswap invariant, basic calculus and numerical methods, and experience with Foundry or Hardhat testing frameworks. Familiarity with the Curve Finance Stableswap whitepaper and Yearn Finance vault architecture is recommended but not required.
Step-by-Step Walkthrough
Step 1: Understanding the Stableswap Invariant
Stableswap pools use a modified constant-product formula that combines elements of the constant-sum (x + y = k) and constant-product (x × y = k) AMMs. The invariant is governed by an amplification parameter that determines how closely the pool behaves like a constant-sum AMM when balances are near equilibrium. The supply variable D represents the total amount of LP tokens when the pool is perfectly balanced.
The calculation of D involves an iterative process — typically Newton’s method — that converges on the correct value over multiple iterations. This is where the vulnerability emerges: if the iterative calculation does not properly handle edge cases, attackers can manipulate pool state to force the iteration toward values that produce incorrect results.
Step 2: Identifying Unsafe Math Patterns
In Solidity versions prior to 0.8.0, arithmetic operations do not automatically check for overflow and underflow. Many DeFi protocols, especially those deployed before 2023, use libraries like SafeMath for addition and subtraction but may miss critical multiplication and division operations in complex mathematical functions.
Examine the supply calculation function for the following patterns: operations using sub() or unsafe_sub() without overflow checks, multiplications that could produce values exceeding uint256 limits, divisions that could round to zero in edge cases, and iterative calculations where intermediate values are used without validation between iterations.
Step 3: Analyzing the Virtual Balance Product
In the yETH pool exploit, the attacker manipulated the virtual balance product (vb_prod) — the product of all virtual balances in the pool. The attack sequence involved repeatedly removing liquidity for all assets and re-adding liquidity for only some assets. After five cycles, the vb_prod was driven to zero because the missing assets caused the product calculation to underflow through the iterative update formula.
When auditing a stableswap pool, trace the virtual balance product calculation through all code paths. Pay special attention to what happens when individual virtual balances are reduced to near-zero or when the pool becomes significantly imbalanced. The product of multiple values converging toward zero creates opportunities for rounding errors that compound through iterations.
Step 4: Simulating Attack Vectors with Foundry
Create a Foundry test that replicates the pool state and systematically tests edge cases. Start with a properly balanced pool, then execute sequences of large single-asset withdrawals followed by asymmetric deposits. Monitor the supply variable D and virtual balance product at each step. If D diverges significantly from the expected value based on total deposited assets, you have identified a potential vulnerability.
Key test scenarios include: flash loan-sized deposits and withdrawals, repeated asymmetric liquidity operations, rate provider manipulation (if applicable), and edge cases where individual virtual balances approach zero.
Step 5: Implementing Safe Guards
The most effective mitigation is migrating to Solidity 0.8.0 or later, which provides built-in overflow and underflow checks. For protocols that cannot migrate, wrap all critical arithmetic operations in SafeMath calls and add explicit validation after each iteration of supply calculations. Implement circuit breakers that halt operations if the supply variable diverges beyond expected bounds. Add minimum balance requirements that prevent individual pool assets from being drained below a safe threshold.
Troubleshooting
If your Foundry simulation does not reproduce the vulnerability, check that you are using the exact contract code from the deployed protocol, including any custom math libraries. Verify that rate provider values are being updated correctly in your simulation — the yETH attack required calling update_rates before the liquidity manipulation sequence. Ensure your test accounts have sufficient token balances and approvals to execute the large transactions required for manipulation.
Mastering the Skill
Stableswap pool auditing requires deep mathematical intuition and systematic testing. Study historical exploits — the Curve re-entrancy attacks, the Balancer rounding vulnerability, and the Yearn yETH overflow — to build pattern recognition for dangerous code structures. Contribute to open-source auditing tools that can automatically detect unsafe arithmetic in AMM implementations. The field of DeFi security evolves rapidly, and the auditors who stay current with both attack techniques and defensive tooling will be the ones who catch the next vulnerability before it is exploited.
Disclaimer: This article is for educational purposes only. Always conduct professional security audits before deploying smart contracts. The techniques described are intended for defensive security research.
Great breakdown of the supply manipulation vectors. I’ve been seeing more issues with how virtual price is calculated during rebalancing events lately. Definitely underscores why we need more rigorous formal verification on these curves instead of just relying on standard unit tests.
BlockSec_Dev agreed. the virtual price calculation during rebalancing is where most stableswap bugs hide. unit tests dont catch overflow in iterative math
solidity_audit_ virtual price during rebalancing is where the bugs hide because unit tests rarely test the edge cases in iterative math. fuzzing should be mandatory
This is super helpful for anyone trying to understand what’s actually happening under the hood of Curve-style pools. The bit about unsafe arithmetic caught me off guard—I always assumed the base implementations were foolproof. Going to be double checking my liquidity positions today for sure!
DeFi_Dolphin the base implementations are NOT foolproof. Curve set the standard but every fork introduces subtle differences in the invariant math
Arjun K. curve set the standard but every fork changes the invariant math slightly. those subtle differences are where the $9M drains come from
While I appreciate the technical depth, isn’t supply manipulation basically an inherent risk in any protocol with low liquidity? You mention mitigation strategies, but it feels like we’re just playing whack-a-mole with MEV bots at this point. How do we actually scale these audits without it costing more than the TVL?