DeFi Protocol Stableswap Pool Drained by Token Infinite Mint Logic Flaw → Security

A detailed close-up reveals a sophisticated blue-tinted mechanical device with transparent elements and polished metallic parts. A dense mass of white foam, composed of numerous tiny bubbles, sits atop a central circular section of the mechanism, symbolizing active liquidity pool dynamics within a decentralized finance DeFi ecosystem

The image presents a striking close-up of a crumpled, translucent object filled with a vibrant blue liquid, adorned with numerous white bubbles. A distinct metallic silver ring is integrated into the left side of the object, all set against a soft, light gray background

Briefing

The Yearn Finance ecosystem was targeted via a sophisticated exploit on its yETH Liquid Staking Token stableswap pool, resulting in a loss of approximately $9 million in various Liquid Staking Derivatives (LSTs). The primary consequence is a systemic failure of the pool’s core invariant, as the attacker was able to mint an effectively unlimited supply of the yETH index token. On-chain analysis confirms the attacker drained the pool of 751 wstETH, 412 rETH, and 203 cbETH, with a portion of the stolen funds immediately routed to a mixing service.

A surreal digital artwork features a textured white vessel, resembling a snow-covered basin, partially submerged in rippling dark blue water. Within this structure, a prominent blue crystalline object, surrounded by smaller sparkling blue fragments, creates dynamic splashes, suggesting motion and energy

Context

The incident highlights the persistent risk posed by legacy or custom smart contracts that operate outside of a protocol’s modern, fully-audited core infrastructure. A known class of vulnerability exists in complex token logic, especially in older, less-used pools where invariant checks may be less rigorous or rely on external assumptions that were not fully stress-tested against uncollateralized token minting.

The image displays a transparent, ring-like structure containing a textured, frothy blue substance. A white spherical object is suspended centrally, with a thin stream of clear liquid flowing over the blue substance and around the sphere

Analysis

The attacker compromised a custom stableswap contract designed for the yETH LST basket. The exploit leveraged a dormant logic flaw within the token’s minting function, which failed to correctly verify the collateralization ratio before issuing new yETH tokens. This allowed the actor to mint trillions of yETH for minimal cost, which they then immediately redeemed for real, underlying assets (ETH derivatives) from the associated liquidity pool in a single, atomic transaction. The success hinged on the contract’s failure to maintain a critical supply invariant, a foundational security principle for all synthetic and index tokens.

A detailed close-up reveals a sophisticated transparent mechanical assembly featuring vibrant blue and reflective silver components. The intricate structure includes visible gears and interlocking elements, encased within clear material, set against a softly blurred, light background

Parameters

Total Loss Value → $9 Million → Total value of Liquid Staking Derivatives (LSTs) drained from the affected pools.
Attack Vector → Infinite Mint Vulnerability → The specific contract logic flaw allowing uncollateralized token creation.
Affected Asset Class → Liquid Staking Tokens (LSTs) → The primary assets (wstETH, rETH, cbETH) held in the compromised pool.
Attacker Action → 235 Trillion yETH Minted → The estimated quantity of worthless tokens created to drain the pool.

A close-up view reveals a highly detailed, metallic mechanical component, featuring various shafts and finely machined surfaces, partially submerged within a vibrant, translucent blue material that exhibits a textured, fluid-like appearance with subtle bubbles. The background offers a soft, out-of-focus gradient of blues and grays, emphasizing the intricate foreground subject, suggesting a high-tech operational environment

Outlook

Users should immediately withdraw liquidity from any remaining legacy or unmigrated pools, as these older contracts often present a disproportionately high attack surface. The immediate second-order effect is increased scrutiny on all DeFi protocols utilizing custom or forked stableswap logic, demanding immediate, deep audits of all mint/burn functions and invariant checks. This event will likely establish a new security best practice mandating the complete decommissioning of legacy contracts rather than merely isolating them.

This exploit confirms that unaddressed legacy code and flawed token minting logic remain a catastrophic systemic risk, demanding a zero-tolerance policy for outdated smart contract infrastructure.

Smart contract vulnerability, liquid staking tokens, stableswap pool exploit, infinite minting, logic flaw, DeFi risk, token supply inflation, asset drain, protocol security, LST derivatives, Ethereum blockchain, on-chain forensics, governance token, pool invariant, asset management, decentralized finance, critical vulnerability, whitehat disclosure, code audit, risk mitigation Signal Acquired from → forklog.com