DeFi Protocol Stableswap Pool Drained by Token Infinite Mint Logic Flaw → Security

A white, textured sphere rests within a dynamic, translucent blue, fluid-like structure, set against a light grey background. The blue form exhibits complex ripples and varying opacities, appearing to cradle the sphere

A sophisticated metallic assembly, comprising interconnected silver and black geometric elements and visible bearings, is depicted partially submerged within a pale blue, granular substance. Beneath this textured surface, an intensely luminous electric blue network, characterized by intricate, flowing patterns, suggests a foundational digital architecture

Briefing

The Yearn Finance ecosystem was targeted via a sophisticated exploit on its yETH Liquid Staking Token stableswap pool, resulting in a loss of approximately $9 million in various Liquid Staking Derivatives (LSTs). The primary consequence is a systemic failure of the pool’s core invariant, as the attacker was able to mint an effectively unlimited supply of the yETH index token. On-chain analysis confirms the attacker drained the pool of 751 wstETH, 412 rETH, and 203 cbETH, with a portion of the stolen funds immediately routed to a mixing service.

A polished silver toroidal structure rests alongside a sculpted, translucent sapphire-blue form, revealing an intricate mechanical watch movement. The objects are presented on a minimalist light grey background, highlighting their forms and internal details

Context

The incident highlights the persistent risk posed by legacy or custom smart contracts that operate outside of a protocol’s modern, fully-audited core infrastructure. A known class of vulnerability exists in complex token logic, especially in older, less-used pools where invariant checks may be less rigorous or rely on external assumptions that were not fully stress-tested against uncollateralized token minting.

A partially opened, textured metallic vault structure showcases an interior teeming with dynamic blue and white cloud-like formations, representing the intricate flow of digital asset liquidity. Prominent metallic elements, including a spherical dial and concentric rings, underscore the robust cryptographic security protocols and underlying blockchain infrastructure

Analysis

The attacker compromised a custom stableswap contract designed for the yETH LST basket. The exploit leveraged a dormant logic flaw within the token’s minting function, which failed to correctly verify the collateralization ratio before issuing new yETH tokens. This allowed the actor to mint trillions of yETH for minimal cost, which they then immediately redeemed for real, underlying assets (ETH derivatives) from the associated liquidity pool in a single, atomic transaction. The success hinged on the contract’s failure to maintain a critical supply invariant, a foundational security principle for all synthetic and index tokens.

The image displays a finely detailed metallic component, possibly a gear or a critical cryptographic primitive, centrally positioned and in sharp focus. This mechanism is partially encased by a flowing, translucent light blue substance, which forms organic, wave-like structures around it, receding into a softer blur in the background

Parameters

Total Loss Value → $9 Million → Total value of Liquid Staking Derivatives (LSTs) drained from the affected pools.
Attack Vector → Infinite Mint Vulnerability → The specific contract logic flaw allowing uncollateralized token creation.
Affected Asset Class → Liquid Staking Tokens (LSTs) → The primary assets (wstETH, rETH, cbETH) held in the compromised pool.
Attacker Action → 235 Trillion yETH Minted → The estimated quantity of worthless tokens created to drain the pool.

A close-up view shows a grey, structured container partially filled with a vibrant blue liquid, featuring numerous white bubbles and a clear, submerged circular object. The dynamic composition highlights an active process occurring within a contained system

Outlook

Users should immediately withdraw liquidity from any remaining legacy or unmigrated pools, as these older contracts often present a disproportionately high attack surface. The immediate second-order effect is increased scrutiny on all DeFi protocols utilizing custom or forked stableswap logic, demanding immediate, deep audits of all mint/burn functions and invariant checks. This event will likely establish a new security best practice mandating the complete decommissioning of legacy contracts rather than merely isolating them.

This exploit confirms that unaddressed legacy code and flawed token minting logic remain a catastrophic systemic risk, demanding a zero-tolerance policy for outdated smart contract infrastructure.

Smart contract vulnerability, liquid staking tokens, stableswap pool exploit, infinite minting, logic flaw, DeFi risk, token supply inflation, asset drain, protocol security, LST derivatives, Ethereum blockchain, on-chain forensics, governance token, pool invariant, asset management, decentralized finance, critical vulnerability, whitehat disclosure, code audit, risk mitigation Signal Acquired from → forklog.com