Security

Legacy DeFi Pool Drained Exploiting Infinite Token Minting Flaw

A critical flaw in a custom stable-swap contract allowed an attacker to mint near-infinite yETH, bypassing core pool solvency checks.
December 3, 20253 min

A futuristic white capsule-like device, split into two segments, rests amidst dynamic blue liquid. Bright blue glowing particles emanate from the central opening of the device, dispersing into the surrounding translucent medium
Two sophisticated white modular devices are shown in a state of dynamic interaction, with a luminous blue cube and radiating particles connecting their open interfaces. The background features blurred, similar technological components, suggesting a vast, interconnected system

Briefing

A critical exploit targeted a legacy Yearn Finance yETH stable-swap pool, leveraging a flaw in its custom contract logic to execute an unauthorized asset drain. The primary consequence was the immediate loss of liquidity provider assets, forcing the protocol to pause the affected router and initiate a treasury reimbursement proposal for victims. The incident was quantified by the total loss of approximately $9 million, primarily consisting of liquid staking tokens like wstETH and rETH.

A close-up view reveals a transparent, futuristic apparatus containing a vibrant blue liquid filled with a dense array of uniform bubbles. Internal illuminated blue lines suggest intricate circuitry or data pathways within the fluid, set against a blurred light gray background

Context

The vulnerability resided in a custom, non-standard stableswap contract that was distinct from the protocol’s main V3 vaults, representing a classic case of legacy contract risk within a complex DeFi ecosystem. This specific contract was not subject to the same rigorous, recent audits as the core V3 system, creating an isolated but high-value attack surface.

A vibrant blue crystalline formation covered in white frost stands beside a clear rectangular glass panel, which in turn rests near a smooth white sphere, all nestled in a landscape of pristine white snow dunes. This visual narrative abstracts the complex mechanisms of a blockchain architecture

Analysis

The attack vector exploited a weakness in the custom pool’s internal accounting logic, which failed to properly validate the token balance changes during a specific operation. The attacker first manipulated the contract state to register a near-zero token balance, then used this state to trigger the infinite minting of yETH tokens far exceeding the underlying collateral. These newly minted, unbacked tokens were then used to withdraw real, valuable liquid staking assets from the pool in a single transaction, effectively draining the entire liquidity. This attack bypassed standard solvency checks by exploiting a logic flaw unique to the custom pool’s design.

A white, textured sphere is positioned on a reflective surface, with metallic rods extending behind it towards a circular, metallic structure. Intertwined with the rods and within a translucent, scoop-like container, a mix of white and blue granular material appears to flow

Parameters

  • Total Funds Lost → ~$9 Million – The estimated value of all liquid staking tokens drained from the pool.
  • Reimbursement Approved → $3.2 Million – The amount approved by governance for initial victim compensation via USDC Merkle drop.
  • Vulnerable Contract Type → Custom Stableswap Pool – The specific, non-standard contract where the infinite minting logic flaw resided.

A close-up reveals a central processing unit CPU prominently featuring the Ethereum logo, embedded within a complex array of metallic structures and vibrant blue, glowing pathways. This detailed rendering visually represents the core of the Ethereum blockchain's operational infrastructure

Outlook

Immediate mitigation requires all protocols with custom or legacy contracts to conduct an aggressive, dedicated audit for non-standard token accounting and minting logic. The second-order effect is a renewed focus on supply chain security for DeFi, where a single, older, peripheral contract can compromise a major protocol’s reputation and capital. This event will likely establish a new best practice → the mandatory sunsetting or migration of all non-core, unaudited legacy contracts.

A snow-covered mass, resembling an iceberg, floats in serene blue water, hosting a textured white sphere and interacting with a metallic, faceted object. From this interaction, a vivid blue liquid cascades into the water, creating white splashes

Verdict

This exploit confirms that unaddressed legacy contract risk remains the most significant systemic threat to mature decentralized finance protocols.

Infinite mint vulnerability, smart contract logic, token inflation attack, stableswap pool, liquidity drain, DeFi exploit, legacy contract risk, asset management, on-chain forensics, ERC-20 flaw, tokenized ETH, collateral loss, reentrancy risk, state manipulation Signal Acquired from → tradingview.com

Micro Crypto News Feeds

treasury reimbursement

Definition ∞ Treasury reimbursement refers to the process by which funds are returned or compensated to a treasury, typically after an expense has been incurred or a loss has been sustained.

legacy contract risk

Definition ∞ Legacy contract risk pertains to the potential for financial loss or operational disruption stemming from vulnerabilities in older smart contracts.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

minting logic

Definition ∞ Minting logic defines the predetermined rules and conditions under which new digital assets, such as cryptocurrencies or non-fungible tokens (NFTs), are created or issued on a blockchain.

decentralized finance

Definition ∞ Decentralized finance, often abbreviated as DeFi, is a system of financial services built on blockchain technology that operates without central intermediaries.

Tags:

Tags: