Security

DeFi Protocol Stableswap Pool Drained by Token Infinite Mint Logic Flaw

A critical logic flaw in a legacy DeFi index token contract permitted an uncollateralized infinite mint, compromising pool integrity and draining $9M in LST assets.
December 1, 20253 min

A prominent white, smooth, toroidal structure centrally frames a vibrant dark blue, translucent, amorphous mass. From the right side, this blue substance dynamically fragments into numerous smaller, crystalline particles, scattering outwards against a soft grey-blue background
A luminous, multifaceted blue crystal structure, shaped like an 'X' or a cross, is depicted with polished metallic components at its intersections. The object appears to be a stylized control mechanism, possibly a valve, set against a blurred background of blues and greys, with frosty textures on the lower left

Briefing

The Yearn Finance ecosystem was targeted via a sophisticated exploit on its yETH Liquid Staking Token stableswap pool, resulting in a loss of approximately $9 million in various Liquid Staking Derivatives (LSTs). The primary consequence is a systemic failure of the pool’s core invariant, as the attacker was able to mint an effectively unlimited supply of the yETH index token. On-chain analysis confirms the attacker drained the pool of 751 wstETH, 412 rETH, and 203 cbETH, with a portion of the stolen funds immediately routed to a mixing service.

A highly detailed, top-down view captures a central, bright blue, faceted 'X' shaped structure. This crystalline element rests on a soft, greyish-white textured base, which also contains blurred, deeper blue faceted forms

Context

The incident highlights the persistent risk posed by legacy or custom smart contracts that operate outside of a protocol’s modern, fully-audited core infrastructure. A known class of vulnerability exists in complex token logic, especially in older, less-used pools where invariant checks may be less rigorous or rely on external assumptions that were not fully stress-tested against uncollateralized token minting.

A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Analysis

The attacker compromised a custom stableswap contract designed for the yETH LST basket. The exploit leveraged a dormant logic flaw within the token’s minting function, which failed to correctly verify the collateralization ratio before issuing new yETH tokens. This allowed the actor to mint trillions of yETH for minimal cost, which they then immediately redeemed for real, underlying assets (ETH derivatives) from the associated liquidity pool in a single, atomic transaction. The success hinged on the contract’s failure to maintain a critical supply invariant, a foundational security principle for all synthetic and index tokens.

A gleaming silver digital asset token, embossed with a prominent geometric emblem, is securely positioned by a sophisticated metallic mechanism. This central element is enveloped by a dynamic array of deep blue, intertwined tubular structures, exhibiting varied textures from granular glitter to intricate water droplets

Parameters

  • Total Loss Value → $9 Million → Total value of Liquid Staking Derivatives (LSTs) drained from the affected pools.
  • Attack Vector → Infinite Mint Vulnerability → The specific contract logic flaw allowing uncollateralized token creation.
  • Affected Asset ClassLiquid Staking Tokens (LSTs) → The primary assets (wstETH, rETH, cbETH) held in the compromised pool.
  • Attacker Action → 235 Trillion yETH Minted → The estimated quantity of worthless tokens created to drain the pool.

A vibrant blue, intricately structured translucent form dominates the foreground, set against a blurred background of metallic cylindrical and gear-like components. The detailed blue lattice appears to flow and connect, highlighting its complex internal structure and reflective surfaces

Outlook

Users should immediately withdraw liquidity from any remaining legacy or unmigrated pools, as these older contracts often present a disproportionately high attack surface. The immediate second-order effect is increased scrutiny on all DeFi protocols utilizing custom or forked stableswap logic, demanding immediate, deep audits of all mint/burn functions and invariant checks. This event will likely establish a new security best practice mandating the complete decommissioning of legacy contracts rather than merely isolating them.

This exploit confirms that unaddressed legacy code and flawed token minting logic remain a catastrophic systemic risk, demanding a zero-tolerance policy for outdated smart contract infrastructure.

Smart contract vulnerability, liquid staking tokens, stableswap pool exploit, infinite minting, logic flaw, DeFi risk, token supply inflation, asset drain, protocol security, LST derivatives, Ethereum blockchain, on-chain forensics, governance token, pool invariant, asset management, decentralized finance, critical vulnerability, whitehat disclosure, code audit, risk mitigation Signal Acquired from → forklog.com

Micro Crypto News Feeds

liquid staking derivatives

Definition ∞ Liquid Staking Derivatives (LSDs) are tokenized representations of staked cryptocurrencies, allowing users to retain liquidity while participating in proof-of-stake network validation.

token minting

Definition ∞ Token minting is the process by which new digital tokens are created and introduced into circulation on a blockchain.

derivatives

Definition ∞ Derivatives are financial contracts whose value depends on an underlying asset, group of assets, or benchmark.

staking derivatives

Definition ∞ Staking derivatives are liquid tokens that represent staked assets on a proof-of-stake blockchain, allowing users to maintain liquidity while earning staking rewards.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

tokens

Definition ∞ Tokens are digital units of value or utility that are issued on a blockchain and represent an asset, a right, or access to a service.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

Tags:

Tags: