Security

Legacy DeFi Pool Drained Exploiting Infinite Token Minting Flaw

A critical flaw in a custom stable-swap contract allowed an attacker to mint near-infinite yETH, bypassing core pool solvency checks.
December 3, 20253 min

A futuristic, mechanical device featuring a prominent dark blue cylindrical core with metallic rings is depicted against a clean, light grey background. A translucent, light blue stream flows dynamically across the device's upper section, and a clear spherical orb floats to its left
A close-up reveals a central processing unit CPU prominently featuring the Ethereum logo, embedded within a complex array of metallic structures and vibrant blue, glowing pathways. This detailed rendering visually represents the core of the Ethereum blockchain's operational infrastructure

Briefing

A critical exploit targeted a legacy Yearn Finance yETH stable-swap pool, leveraging a flaw in its custom contract logic to execute an unauthorized asset drain. The primary consequence was the immediate loss of liquidity provider assets, forcing the protocol to pause the affected router and initiate a treasury reimbursement proposal for victims. The incident was quantified by the total loss of approximately $9 million, primarily consisting of liquid staking tokens like wstETH and rETH.

Two futuristic white devices with prominent blue illuminated panels are shown interacting at their core, where a bright blue energy field connects them. The devices feature metallic accents and intricate modular designs, set against a softly blurred background of abstract blue and grey technological forms

Context

The vulnerability resided in a custom, non-standard stableswap contract that was distinct from the protocol’s main V3 vaults, representing a classic case of legacy contract risk within a complex DeFi ecosystem. This specific contract was not subject to the same rigorous, recent audits as the core V3 system, creating an isolated but high-value attack surface.

A dark blue, spherical digital asset is partially enveloped by a translucent, light blue, flowing material. This enveloping layer is speckled with numerous tiny white particles, creating a dynamic, abstract composition against a soft grey background

Analysis

The attack vector exploited a weakness in the custom pool’s internal accounting logic, which failed to properly validate the token balance changes during a specific operation. The attacker first manipulated the contract state to register a near-zero token balance, then used this state to trigger the infinite minting of yETH tokens far exceeding the underlying collateral. These newly minted, unbacked tokens were then used to withdraw real, valuable liquid staking assets from the pool in a single transaction, effectively draining the entire liquidity. This attack bypassed standard solvency checks by exploiting a logic flaw unique to the custom pool’s design.

A metallic, gear-like component is prominently featured, partially submerged and surrounded by vibrant blue granular material within a structured enclosure. The detailed composition highlights the intricate interaction between the central mechanism and the surrounding elements

Parameters

  • Total Funds Lost → ~$9 Million – The estimated value of all liquid staking tokens drained from the pool.
  • Reimbursement Approved → $3.2 Million – The amount approved by governance for initial victim compensation via USDC Merkle drop.
  • Vulnerable Contract Type → Custom Stableswap Pool – The specific, non-standard contract where the infinite minting logic flaw resided.

A close-up view reveals a metallic, hexagonal object with intricate silver and dark grey patterns, partially surrounded by a vibrant, translucent blue, organic-looking material. A cylindrical metallic component protrudes from one side of the central object

Outlook

Immediate mitigation requires all protocols with custom or legacy contracts to conduct an aggressive, dedicated audit for non-standard token accounting and minting logic. The second-order effect is a renewed focus on supply chain security for DeFi, where a single, older, peripheral contract can compromise a major protocol’s reputation and capital. This event will likely establish a new best practice → the mandatory sunsetting or migration of all non-core, unaudited legacy contracts.

A vibrant, translucent blue stream, appearing as a liquid data flow, courses across a sleek, dark gray technological interface. Within this glowing stream, a metallic, geometric block featuring a distinct 'Y' symbol is prominently embedded

Verdict

This exploit confirms that unaddressed legacy contract risk remains the most significant systemic threat to mature decentralized finance protocols.

Infinite mint vulnerability, smart contract logic, token inflation attack, stableswap pool, liquidity drain, DeFi exploit, legacy contract risk, asset management, on-chain forensics, ERC-20 flaw, tokenized ETH, collateral loss, reentrancy risk, state manipulation Signal Acquired from → tradingview.com

Micro Crypto News Feeds

treasury reimbursement

Definition ∞ Treasury reimbursement refers to the process by which funds are returned or compensated to a treasury, typically after an expense has been incurred or a loss has been sustained.

legacy contract risk

Definition ∞ Legacy contract risk pertains to the potential for financial loss or operational disruption stemming from vulnerabilities in older smart contracts.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

minting logic

Definition ∞ Minting logic defines the predetermined rules and conditions under which new digital assets, such as cryptocurrencies or non-fungible tokens (NFTs), are created or issued on a blockchain.

decentralized finance

Definition ∞ Decentralized finance, often abbreviated as DeFi, is a system of financial services built on blockchain technology that operates without central intermediaries.

Tags:

Tags: