Security

Legacy DeFi Pool Drained Exploiting Infinite Token Minting Flaw

A critical flaw in a custom stable-swap contract allowed an attacker to mint near-infinite yETH, bypassing core pool solvency checks.
December 3, 20253 min

A close-up view shows a grey, structured container partially filled with a vibrant blue liquid, featuring numerous white bubbles and a clear, submerged circular object. The dynamic composition highlights an active process occurring within a contained system
A prominent white, smooth, toroidal structure centrally frames a vibrant dark blue, translucent, amorphous mass. From the right side, this blue substance dynamically fragments into numerous smaller, crystalline particles, scattering outwards against a soft grey-blue background

Briefing

A critical exploit targeted a legacy Yearn Finance yETH stable-swap pool, leveraging a flaw in its custom contract logic to execute an unauthorized asset drain. The primary consequence was the immediate loss of liquidity provider assets, forcing the protocol to pause the affected router and initiate a treasury reimbursement proposal for victims. The incident was quantified by the total loss of approximately $9 million, primarily consisting of liquid staking tokens like wstETH and rETH.

A close-up reveals a sophisticated metallic, star-shaped structure featuring luminous blue, transparent segments, partially encased by a swirling, white, textured material. The central object appears to be in motion, with small particulate matter emanating from the white substance near the glowing blue sections

Context

The vulnerability resided in a custom, non-standard stableswap contract that was distinct from the protocol’s main V3 vaults, representing a classic case of legacy contract risk within a complex DeFi ecosystem. This specific contract was not subject to the same rigorous, recent audits as the core V3 system, creating an isolated but high-value attack surface.

The image displays two advanced white cylindrical modules, slightly separated, with a bright blue energy discharge and numerous blue spheres erupting between them. The background features blurred blue chain-like structures

Analysis

The attack vector exploited a weakness in the custom pool’s internal accounting logic, which failed to properly validate the token balance changes during a specific operation. The attacker first manipulated the contract state to register a near-zero token balance, then used this state to trigger the infinite minting of yETH tokens far exceeding the underlying collateral. These newly minted, unbacked tokens were then used to withdraw real, valuable liquid staking assets from the pool in a single transaction, effectively draining the entire liquidity. This attack bypassed standard solvency checks by exploiting a logic flaw unique to the custom pool’s design.

A close-up reveals an intricate mechanical system featuring two modular units, with the foreground unit exposing precision gears, metallic plates, and a central white geometric component within a brushed metal casing. Multi-colored wires connect the modules, which are integrated into a blue structural frame alongside additional mechanical components and a ribbed metallic adjustment knob

Parameters

  • Total Funds Lost → ~$9 Million – The estimated value of all liquid staking tokens drained from the pool.
  • Reimbursement Approved → $3.2 Million – The amount approved by governance for initial victim compensation via USDC Merkle drop.
  • Vulnerable Contract Type → Custom Stableswap Pool – The specific, non-standard contract where the infinite minting logic flaw resided.

A central metallic protocol mechanism, intricately designed with visible apertures, is depicted surrounded by a dynamic, luminous blue fluid. This fluid, resembling a liquidity pool, exhibits flowing motion, highlighting the metallic component's precision engineering

Outlook

Immediate mitigation requires all protocols with custom or legacy contracts to conduct an aggressive, dedicated audit for non-standard token accounting and minting logic. The second-order effect is a renewed focus on supply chain security for DeFi, where a single, older, peripheral contract can compromise a major protocol’s reputation and capital. This event will likely establish a new best practice → the mandatory sunsetting or migration of all non-core, unaudited legacy contracts.

The close-up image showcases a complex internal structure, featuring a porous white outer shell enveloping metallic silver components intertwined with luminous blue, crystalline elements. A foamy texture coats parts of the white structure and the blue elements, highlighting intricate details within the mechanism

Verdict

This exploit confirms that unaddressed legacy contract risk remains the most significant systemic threat to mature decentralized finance protocols.

Infinite mint vulnerability, smart contract logic, token inflation attack, stableswap pool, liquidity drain, DeFi exploit, legacy contract risk, asset management, on-chain forensics, ERC-20 flaw, tokenized ETH, collateral loss, reentrancy risk, state manipulation Signal Acquired from → tradingview.com

Micro Crypto News Feeds

treasury reimbursement

Definition ∞ Treasury reimbursement refers to the process by which funds are returned or compensated to a treasury, typically after an expense has been incurred or a loss has been sustained.

legacy contract risk

Definition ∞ Legacy contract risk pertains to the potential for financial loss or operational disruption stemming from vulnerabilities in older smart contracts.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

minting logic

Definition ∞ Minting logic defines the predetermined rules and conditions under which new digital assets, such as cryptocurrencies or non-fungible tokens (NFTs), are created or issued on a blockchain.

decentralized finance

Definition ∞ Decentralized finance, often abbreviated as DeFi, is a system of financial services built on blockchain technology that operates without central intermediaries.

Tags:

Tags: