Security

Legacy DeFi Pool Drained Exploiting Infinite Token Minting Flaw

A critical flaw in a custom stable-swap contract allowed an attacker to mint near-infinite yETH, bypassing core pool solvency checks.
December 3, 20253 min

A spherical object dominates the frame, split into halves. The left half is white, textured, and fractured, featuring a smooth metallic button at its center the right half displays a highly structured, metallic, segmented exterior, revealing a glowing blue core of geometric blocks
A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Briefing

A critical exploit targeted a legacy Yearn Finance yETH stable-swap pool, leveraging a flaw in its custom contract logic to execute an unauthorized asset drain. The primary consequence was the immediate loss of liquidity provider assets, forcing the protocol to pause the affected router and initiate a treasury reimbursement proposal for victims. The incident was quantified by the total loss of approximately $9 million, primarily consisting of liquid staking tokens like wstETH and rETH.

The image displays a futuristic abstract scene with a prominent, angular metallic structure surrounded by dense blue smoke. A textured white sphere is positioned near the structure, while a smaller, faceted blue sphere floats in the upper right

Context

The vulnerability resided in a custom, non-standard stableswap contract that was distinct from the protocol’s main V3 vaults, representing a classic case of legacy contract risk within a complex DeFi ecosystem. This specific contract was not subject to the same rigorous, recent audits as the core V3 system, creating an isolated but high-value attack surface.

A luminous, multifaceted blue crystal structure, shaped like an 'X' or a cross, is depicted with polished metallic components at its intersections. The object appears to be a stylized control mechanism, possibly a valve, set against a blurred background of blues and greys, with frosty textures on the lower left

Analysis

The attack vector exploited a weakness in the custom pool’s internal accounting logic, which failed to properly validate the token balance changes during a specific operation. The attacker first manipulated the contract state to register a near-zero token balance, then used this state to trigger the infinite minting of yETH tokens far exceeding the underlying collateral. These newly minted, unbacked tokens were then used to withdraw real, valuable liquid staking assets from the pool in a single transaction, effectively draining the entire liquidity. This attack bypassed standard solvency checks by exploiting a logic flaw unique to the custom pool’s design.

Two futuristic white devices with prominent blue illuminated panels are shown interacting at their core, where a bright blue energy field connects them. The devices feature metallic accents and intricate modular designs, set against a softly blurred background of abstract blue and grey technological forms

Parameters

  • Total Funds Lost → ~$9 Million – The estimated value of all liquid staking tokens drained from the pool.
  • Reimbursement Approved → $3.2 Million – The amount approved by governance for initial victim compensation via USDC Merkle drop.
  • Vulnerable Contract Type → Custom Stableswap Pool – The specific, non-standard contract where the infinite minting logic flaw resided.

A complex, abstract structure of clear, reflective material features intertwined and layered forms, surrounding a vibrant blue, spherical core. Light reflects and refracts across its surfaces, creating a sense of depth and transparency

Outlook

Immediate mitigation requires all protocols with custom or legacy contracts to conduct an aggressive, dedicated audit for non-standard token accounting and minting logic. The second-order effect is a renewed focus on supply chain security for DeFi, where a single, older, peripheral contract can compromise a major protocol’s reputation and capital. This event will likely establish a new best practice → the mandatory sunsetting or migration of all non-core, unaudited legacy contracts.

The close-up image showcases a complex internal structure, featuring a porous white outer shell enveloping metallic silver components intertwined with luminous blue, crystalline elements. A foamy texture coats parts of the white structure and the blue elements, highlighting intricate details within the mechanism

Verdict

This exploit confirms that unaddressed legacy contract risk remains the most significant systemic threat to mature decentralized finance protocols.

Infinite mint vulnerability, smart contract logic, token inflation attack, stableswap pool, liquidity drain, DeFi exploit, legacy contract risk, asset management, on-chain forensics, ERC-20 flaw, tokenized ETH, collateral loss, reentrancy risk, state manipulation Signal Acquired from → tradingview.com

Micro Crypto News Feeds

treasury reimbursement

Definition ∞ Treasury reimbursement refers to the process by which funds are returned or compensated to a treasury, typically after an expense has been incurred or a loss has been sustained.

legacy contract risk

Definition ∞ Legacy contract risk pertains to the potential for financial loss or operational disruption stemming from vulnerabilities in older smart contracts.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

minting logic

Definition ∞ Minting logic defines the predetermined rules and conditions under which new digital assets, such as cryptocurrencies or non-fungible tokens (NFTs), are created or issued on a blockchain.

decentralized finance

Definition ∞ Decentralized finance, often abbreviated as DeFi, is a system of financial services built on blockchain technology that operates without central intermediaries.

Tags:

Tags: