Security

Legacy DeFi Pool Drained Exploiting Smart Contract Infinite Mint Logic

A logic flaw in a deprecated stable-swap contract enabled the adversarial minting of infinite tokens, compromising asset integrity and draining $9 million in LST collateral.
December 1, 20253 min

A close-up view shows a grey, structured container partially filled with a vibrant blue liquid, featuring numerous white bubbles and a clear, submerged circular object. The dynamic composition highlights an active process occurring within a contained system
A close-up view reveals a metallic, hexagonal object with intricate silver and dark grey patterns, partially surrounded by a vibrant, translucent blue, organic-looking material. A cylindrical metallic component protrudes from one side of the central object

Briefing

The Yearn Finance protocol suffered a critical economic exploit on its legacy yETH stable-swap pool, resulting in a loss of approximately $9 million in various liquid staking tokens (LSTs). The primary consequence was the complete depletion of the affected pool’s liquidity, directly impacting users who had deposited assets into the older yETH product. Forensic analysis confirms the attack vector was a logic flaw that allowed the malicious minting of a near-infinite number of fake yETH tokens, enabling the attacker to withdraw real underlying assets in a single, complex transaction. This incident underscores the disproportionate risk presented by deprecated smart contracts within mature DeFi ecosystems.

A detailed close-up reveals a futuristic metallic device with a prominent translucent blue crystalline structure, appearing as frozen ice, surrounding a central dark mechanical part. The device exhibits intricate industrial design, featuring various metallic layers and a circular element displaying a subtle Ethereum logo

Context

The security posture of many multi-vault DeFi protocols remains exposed to risks within legacy or custom-built contracts that were not subjected to the same rigorous, post-flash-loan-era auditing standards. This vulnerability class is often found in bespoke token logic, where the internal accounting or minting function of a stable-swap pool is not sufficiently protected against an adversarial input. The incident confirms that a protocol’s main, active vaults can be 100% secure while older, un-migrated contracts represent a critical, unaddressed attack surface.

The image displays a luminous white sphere, partially enveloped by a flowing, transparent blue material, and surrounded by intricate mechanical components. A central dark circle with a bright blue rim is prominent on the sphere's surface

Analysis

The attacker compromised a custom stable-swap pool by exploiting a flaw in its internal minting logic related to the yETH token. The core mechanism involved supplying a minimal amount of collateral to the pool, then manipulating the contract’s internal state to trick it into calculating an arbitrarily large, near-infinite amount of new yETH tokens for the attacker. With these newly minted, valueless tokens, the attacker then withdrew the pool’s real, valuable collateral → primarily wstETH, rETH, and cbETH → before quickly bridging and laundering a significant portion of the stolen funds via a privacy mixer. The success of the exploit hinged on the contract’s failure to properly validate the input and output amounts during the token minting process.

A metallic, gear-like component is prominently featured, partially submerged and surrounded by vibrant blue granular material within a structured enclosure. The detailed composition highlights the intricate interaction between the central mechanism and the surrounding elements

Parameters

  • Total Loss → $9 Million – The approximate total value of assets drained from the legacy yETH pools.
  • Vulnerability Type → Infinite Mint Logic Flaw – A critical bug in the stable-swap contract’s accounting for new token issuance.
  • Affected Product → Legacy yETH Pool – The specific, older version of the yETH product that was compromised.
  • Laundered Funds → $3 Million – The approximate amount of stolen ETH moved to a privacy mixer.

A luminous, translucent blue-grey amorphous structure elegantly envelops a vibrant, solid blue sphere, set against a subtle gradient background. The flowing, organic forms create a sense of depth and protection around the central element

Outlook

Protocols utilizing custom or legacy smart contract logic, especially those involving token minting and liquid staking tokens (LSTs), must immediately initiate a comprehensive, third-party audit of all non-standard functions. For users, the immediate action is to migrate funds out of any deprecated or legacy pools, as these represent a disproportionate attack surface. This exploit will likely set a new best practice for LST pool design, mandating formal verification of all minting and withdrawal logic to prevent similar economic attacks and contain contagion risk to other DeFi protocols with similar contract architectures.

A close-up view captures an abstract, high-tech mechanism with vibrant blue, translucent energy flowing through intricate silver metallic components. White, granular particles effervesce around the central conduit, suggesting a dynamic transformation

Verdict

This $9 million exploit serves as a definitive operational warning that the greatest systemic risk in mature DeFi protocols often resides within un-migrated, unaudited legacy contracts.

smart contract flaw, infinite mint logic, token minting exploit, stable-swap pool drain, liquidity pool compromise, asset integrity failure, flash loan attack, economic vulnerability, on-chain forensic data, governance risk proposal, legacy contract exposure, liquid staking token, DeFi security incident, protocol risk management, token accounting error Signal Acquired from → tradingview.com

Micro Crypto News Feeds

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

attack surface

Definition ∞ An attack surface represents the sum of all possible points where an unauthorized user can attempt to access or extract data from a system.

privacy mixer

Definition ∞ A privacy mixer is a service designed to obscure the transaction history of cryptocurrencies.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

amount

Definition ∞ Amount signifies a quantified measure of value, volume, or quantity, typically referring to digital assets or fiat currency within transactions.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

protocols

Definition ∞ 'Protocols' are sets of rules that govern how data is transmitted and managed across networks.

Tags:

Tags: