DeFi Protocol Stableswap Pool Drained by Token Infinite Mint Logic Flaw → Security

The image presents a close-up view of two abstract, smooth forms. A translucent, deep blue element, covered in small water droplets, gently rests against a soft, light grey, subtly contoured background

A pristine white sphere, resembling a valuable digital asset, is suspended within a vibrant, translucent blue structure. This structure, reminiscent of frozen liquid or crystalline data, is partially adorned with white, textured frost along its edges, creating a sense of depth and complexity

Briefing

The Yearn Finance ecosystem was targeted via a sophisticated exploit on its yETH Liquid Staking Token stableswap pool, resulting in a loss of approximately $9 million in various Liquid Staking Derivatives (LSTs). The primary consequence is a systemic failure of the pool’s core invariant, as the attacker was able to mint an effectively unlimited supply of the yETH index token. On-chain analysis confirms the attacker drained the pool of 751 wstETH, 412 rETH, and 203 cbETH, with a portion of the stolen funds immediately routed to a mixing service.

The image displays a transparent, ring-like structure containing a textured, frothy blue substance. A white spherical object is suspended centrally, with a thin stream of clear liquid flowing over the blue substance and around the sphere

Context

The incident highlights the persistent risk posed by legacy or custom smart contracts that operate outside of a protocol’s modern, fully-audited core infrastructure. A known class of vulnerability exists in complex token logic, especially in older, less-used pools where invariant checks may be less rigorous or rely on external assumptions that were not fully stress-tested against uncollateralized token minting.

A detailed close-up shows a complex, futuristic mechanism composed of shiny silver and translucent blue components. At its core, a cross-shaped structure made of light blue foamy material features a prominent metallic five-pointed star

Analysis

The attacker compromised a custom stableswap contract designed for the yETH LST basket. The exploit leveraged a dormant logic flaw within the token’s minting function, which failed to correctly verify the collateralization ratio before issuing new yETH tokens. This allowed the actor to mint trillions of yETH for minimal cost, which they then immediately redeemed for real, underlying assets (ETH derivatives) from the associated liquidity pool in a single, atomic transaction. The success hinged on the contract’s failure to maintain a critical supply invariant, a foundational security principle for all synthetic and index tokens.

A polished silver toroidal structure rests alongside a sculpted, translucent sapphire-blue form, revealing an intricate mechanical watch movement. The objects are presented on a minimalist light grey background, highlighting their forms and internal details

Parameters

Total Loss Value → $9 Million → Total value of Liquid Staking Derivatives (LSTs) drained from the affected pools.
Attack Vector → Infinite Mint Vulnerability → The specific contract logic flaw allowing uncollateralized token creation.
Affected Asset Class → Liquid Staking Tokens (LSTs) → The primary assets (wstETH, rETH, cbETH) held in the compromised pool.
Attacker Action → 235 Trillion yETH Minted → The estimated quantity of worthless tokens created to drain the pool.

A close-up view reveals a metallic, hexagonal object with intricate silver and dark grey patterns, partially surrounded by a vibrant, translucent blue, organic-looking material. A cylindrical metallic component protrudes from one side of the central object

Outlook

Users should immediately withdraw liquidity from any remaining legacy or unmigrated pools, as these older contracts often present a disproportionately high attack surface. The immediate second-order effect is increased scrutiny on all DeFi protocols utilizing custom or forked stableswap logic, demanding immediate, deep audits of all mint/burn functions and invariant checks. This event will likely establish a new security best practice mandating the complete decommissioning of legacy contracts rather than merely isolating them.

This exploit confirms that unaddressed legacy code and flawed token minting logic remain a catastrophic systemic risk, demanding a zero-tolerance policy for outdated smart contract infrastructure.

Smart contract vulnerability, liquid staking tokens, stableswap pool exploit, infinite minting, logic flaw, DeFi risk, token supply inflation, asset drain, protocol security, LST derivatives, Ethereum blockchain, on-chain forensics, governance token, pool invariant, asset management, decentralized finance, critical vulnerability, whitehat disclosure, code audit, risk mitigation Signal Acquired from → forklog.com