Security

Legacy DeFi Pool Drained Exploiting Infinite Token Minting Flaw

A critical flaw in a custom stable-swap contract allowed an attacker to mint near-infinite yETH, bypassing core pool solvency checks.
December 3, 20253 min

A sleek, blue and silver mechanical device with intricate metallic components is centered, featuring a raised Ethereum logo on its upper surface. The device exhibits a high level of engineering detail, with various rods, plates, and fasteners forming a complex, integrated system
A close-up view presents a highly detailed metallic component, possibly a specialized bearing or engine part, immersed in a dynamic field of white, frothy bubbles. The underlying structure appears to be a deep blue, multi-faceted material, suggesting a complex internal system

Briefing

A critical exploit targeted a legacy Yearn Finance yETH stable-swap pool, leveraging a flaw in its custom contract logic to execute an unauthorized asset drain. The primary consequence was the immediate loss of liquidity provider assets, forcing the protocol to pause the affected router and initiate a treasury reimbursement proposal for victims. The incident was quantified by the total loss of approximately $9 million, primarily consisting of liquid staking tokens like wstETH and rETH.

A close-up view reveals a multi-faceted, transparent object with sharp geometric edges, encasing a smooth, amorphous blue mass within its core. The interplay of light through the clear material highlights the vibrant blue interior and the intricate structure of the outer shell

Context

The vulnerability resided in a custom, non-standard stableswap contract that was distinct from the protocol’s main V3 vaults, representing a classic case of legacy contract risk within a complex DeFi ecosystem. This specific contract was not subject to the same rigorous, recent audits as the core V3 system, creating an isolated but high-value attack surface.

A brilliant, multi-faceted diamond, exhibiting prismatic light refractions, is held within a minimalist, white, circular apparatus with metallic joint accents. Behind this central element, a complex, crystalline formation displays intense shades of blue and indigo, suggesting a network or a foundational structure

Analysis

The attack vector exploited a weakness in the custom pool’s internal accounting logic, which failed to properly validate the token balance changes during a specific operation. The attacker first manipulated the contract state to register a near-zero token balance, then used this state to trigger the infinite minting of yETH tokens far exceeding the underlying collateral. These newly minted, unbacked tokens were then used to withdraw real, valuable liquid staking assets from the pool in a single transaction, effectively draining the entire liquidity. This attack bypassed standard solvency checks by exploiting a logic flaw unique to the custom pool’s design.

A luminous, ice-like sphere, resembling a miniature moon, is centrally positioned on an advanced metallic platform. Surrounding the sphere are fine, light blue crystalline particles, with darker blue concentrations near its base, while blue vapor drifts around the structure

Parameters

  • Total Funds Lost → ~$9 Million – The estimated value of all liquid staking tokens drained from the pool.
  • Reimbursement Approved → $3.2 Million – The amount approved by governance for initial victim compensation via USDC Merkle drop.
  • Vulnerable Contract Type → Custom Stableswap Pool – The specific, non-standard contract where the infinite minting logic flaw resided.

The image displays a close-up of a futuristic, metallic computing device with prominent blue glowing internal components. Its intricate design features brushed metal surfaces, sharp geometric forms, and transparent sections revealing illuminated conduits

Outlook

Immediate mitigation requires all protocols with custom or legacy contracts to conduct an aggressive, dedicated audit for non-standard token accounting and minting logic. The second-order effect is a renewed focus on supply chain security for DeFi, where a single, older, peripheral contract can compromise a major protocol’s reputation and capital. This event will likely establish a new best practice → the mandatory sunsetting or migration of all non-core, unaudited legacy contracts.

A white, textured sphere is positioned on a reflective surface, with metallic rods extending behind it towards a circular, metallic structure. Intertwined with the rods and within a translucent, scoop-like container, a mix of white and blue granular material appears to flow

Verdict

This exploit confirms that unaddressed legacy contract risk remains the most significant systemic threat to mature decentralized finance protocols.

Infinite mint vulnerability, smart contract logic, token inflation attack, stableswap pool, liquidity drain, DeFi exploit, legacy contract risk, asset management, on-chain forensics, ERC-20 flaw, tokenized ETH, collateral loss, reentrancy risk, state manipulation Signal Acquired from → tradingview.com

Micro Crypto News Feeds

treasury reimbursement

Definition ∞ Treasury reimbursement refers to the process by which funds are returned or compensated to a treasury, typically after an expense has been incurred or a loss has been sustained.

legacy contract risk

Definition ∞ Legacy contract risk pertains to the potential for financial loss or operational disruption stemming from vulnerabilities in older smart contracts.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

minting logic

Definition ∞ Minting logic defines the predetermined rules and conditions under which new digital assets, such as cryptocurrencies or non-fungible tokens (NFTs), are created or issued on a blockchain.

decentralized finance

Definition ∞ Decentralized finance, often abbreviated as DeFi, is a system of financial services built on blockchain technology that operates without central intermediaries.

Tags:

Tags: