DeFi Protocol Stableswap Pool Drained by Token Infinite Mint Logic Flaw → Security

The image displays a transparent, ring-like structure containing a textured, frothy blue substance. A white spherical object is suspended centrally, with a thin stream of clear liquid flowing over the blue substance and around the sphere

A white, rectangular, modular device with visible ports and connections extends into a vibrant, glowing blue crystalline structure, which is composed of numerous small, luminous spheres and interspersed with frosty textures. The background shows a blurred continuation of similar blue and white elements, suggesting a complex digital environment

Briefing

The Yearn Finance ecosystem was targeted via a sophisticated exploit on its yETH Liquid Staking Token stableswap pool, resulting in a loss of approximately $9 million in various Liquid Staking Derivatives (LSTs). The primary consequence is a systemic failure of the pool’s core invariant, as the attacker was able to mint an effectively unlimited supply of the yETH index token. On-chain analysis confirms the attacker drained the pool of 751 wstETH, 412 rETH, and 203 cbETH, with a portion of the stolen funds immediately routed to a mixing service.

A close-up view shows a grey, structured container partially filled with a vibrant blue liquid, featuring numerous white bubbles and a clear, submerged circular object. The dynamic composition highlights an active process occurring within a contained system

Context

The incident highlights the persistent risk posed by legacy or custom smart contracts that operate outside of a protocol’s modern, fully-audited core infrastructure. A known class of vulnerability exists in complex token logic, especially in older, less-used pools where invariant checks may be less rigorous or rely on external assumptions that were not fully stress-tested against uncollateralized token minting.

A close-up view reveals a sleek, high-tech metallic and dark blue module, centrally featuring the distinct Ethereum emblem on its silver surface. Numerous blue wires are intricately woven around and connected to various components, including a textured metallic dial and digital displays showing "0" and "01"

Analysis

The attacker compromised a custom stableswap contract designed for the yETH LST basket. The exploit leveraged a dormant logic flaw within the token’s minting function, which failed to correctly verify the collateralization ratio before issuing new yETH tokens. This allowed the actor to mint trillions of yETH for minimal cost, which they then immediately redeemed for real, underlying assets (ETH derivatives) from the associated liquidity pool in a single, atomic transaction. The success hinged on the contract’s failure to maintain a critical supply invariant, a foundational security principle for all synthetic and index tokens.

A dark blue, spherical digital asset is partially enveloped by a translucent, light blue, flowing material. This enveloping layer is speckled with numerous tiny white particles, creating a dynamic, abstract composition against a soft grey background

Parameters

Total Loss Value → $9 Million → Total value of Liquid Staking Derivatives (LSTs) drained from the affected pools.
Attack Vector → Infinite Mint Vulnerability → The specific contract logic flaw allowing uncollateralized token creation.
Affected Asset Class → Liquid Staking Tokens (LSTs) → The primary assets (wstETH, rETH, cbETH) held in the compromised pool.
Attacker Action → 235 Trillion yETH Minted → The estimated quantity of worthless tokens created to drain the pool.

A detailed close-up reveals a sophisticated blue-tinted mechanical device with transparent elements and polished metallic parts. A dense mass of white foam, composed of numerous tiny bubbles, sits atop a central circular section of the mechanism, symbolizing active liquidity pool dynamics within a decentralized finance DeFi ecosystem

Outlook

Users should immediately withdraw liquidity from any remaining legacy or unmigrated pools, as these older contracts often present a disproportionately high attack surface. The immediate second-order effect is increased scrutiny on all DeFi protocols utilizing custom or forked stableswap logic, demanding immediate, deep audits of all mint/burn functions and invariant checks. This event will likely establish a new security best practice mandating the complete decommissioning of legacy contracts rather than merely isolating them.

This exploit confirms that unaddressed legacy code and flawed token minting logic remain a catastrophic systemic risk, demanding a zero-tolerance policy for outdated smart contract infrastructure.

Smart contract vulnerability, liquid staking tokens, stableswap pool exploit, infinite minting, logic flaw, DeFi risk, token supply inflation, asset drain, protocol security, LST derivatives, Ethereum blockchain, on-chain forensics, governance token, pool invariant, asset management, decentralized finance, critical vulnerability, whitehat disclosure, code audit, risk mitigation Signal Acquired from → forklog.com