Security

Legacy DeFi Pool Drained Exploiting Smart Contract Infinite Mint Logic

A logic flaw in a deprecated stable-swap contract enabled the adversarial minting of infinite tokens, compromising asset integrity and draining $9 million in LST collateral.
December 1, 20253 min

A striking abstract composition features clear and blue crystalline structures, white textured formations, and smooth white and silver spheres emerging from dark blue water under a clear sky. The elements are arranged centrally, creating a sense of balance and depth
A large, textured sphere, resembling a celestial body, partially submerges in dark blue liquid, generating dynamic splashes. Smaller white spheres interact with the fluid

Briefing

The Yearn Finance protocol suffered a critical economic exploit on its legacy yETH stable-swap pool, resulting in a loss of approximately $9 million in various liquid staking tokens (LSTs). The primary consequence was the complete depletion of the affected pool’s liquidity, directly impacting users who had deposited assets into the older yETH product. Forensic analysis confirms the attack vector was a logic flaw that allowed the malicious minting of a near-infinite number of fake yETH tokens, enabling the attacker to withdraw real underlying assets in a single, complex transaction. This incident underscores the disproportionate risk presented by deprecated smart contracts within mature DeFi ecosystems.

A futuristic, interconnected mechanism floats in a dark, star-speckled expanse, characterized by two large, segmented rings and a central satellite-like module. Intense blue light radiates from the central junction of the rings, illuminating intricate internal components and suggesting active data processing or energy transfer, mirroring the operational dynamics of a Proof-of-Stake PoS consensus algorithm or a Layer 2 scaling solution

Context

The security posture of many multi-vault DeFi protocols remains exposed to risks within legacy or custom-built contracts that were not subjected to the same rigorous, post-flash-loan-era auditing standards. This vulnerability class is often found in bespoke token logic, where the internal accounting or minting function of a stable-swap pool is not sufficiently protected against an adversarial input. The incident confirms that a protocol’s main, active vaults can be 100% secure while older, un-migrated contracts represent a critical, unaddressed attack surface.

A close-up reveals an intricate mechanical system featuring two modular units, with the foreground unit exposing precision gears, metallic plates, and a central white geometric component within a brushed metal casing. Multi-colored wires connect the modules, which are integrated into a blue structural frame alongside additional mechanical components and a ribbed metallic adjustment knob

Analysis

The attacker compromised a custom stable-swap pool by exploiting a flaw in its internal minting logic related to the yETH token. The core mechanism involved supplying a minimal amount of collateral to the pool, then manipulating the contract’s internal state to trick it into calculating an arbitrarily large, near-infinite amount of new yETH tokens for the attacker. With these newly minted, valueless tokens, the attacker then withdrew the pool’s real, valuable collateral → primarily wstETH, rETH, and cbETH → before quickly bridging and laundering a significant portion of the stolen funds via a privacy mixer. The success of the exploit hinged on the contract’s failure to properly validate the input and output amounts during the token minting process.

A close-up view highlights a sophisticated assembly of metallic silver and vibrant translucent blue components. The central focus is a cylindrical blue element, capped with silver, surrounded by concentric silver rings and interconnected by blue tubular pathways

Parameters

  • Total Loss → $9 Million – The approximate total value of assets drained from the legacy yETH pools.
  • Vulnerability Type → Infinite Mint Logic Flaw – A critical bug in the stable-swap contract’s accounting for new token issuance.
  • Affected Product → Legacy yETH Pool – The specific, older version of the yETH product that was compromised.
  • Laundered Funds → $3 Million – The approximate amount of stolen ETH moved to a privacy mixer.

The image features several abstract, interconnected chain links against a soft blue-grey background. Some links are clear blue with a textured, bubbly appearance, while others are smooth, dark blue, and highly reflective

Outlook

Protocols utilizing custom or legacy smart contract logic, especially those involving token minting and liquid staking tokens (LSTs), must immediately initiate a comprehensive, third-party audit of all non-standard functions. For users, the immediate action is to migrate funds out of any deprecated or legacy pools, as these represent a disproportionate attack surface. This exploit will likely set a new best practice for LST pool design, mandating formal verification of all minting and withdrawal logic to prevent similar economic attacks and contain contagion risk to other DeFi protocols with similar contract architectures.

A robust, metallic blue and silver apparatus is partially submerged in a field of fine, sparkling granular particles. A vibrant stream of blue, particle-laden fluid traverses a transparent central channel

Verdict

This $9 million exploit serves as a definitive operational warning that the greatest systemic risk in mature DeFi protocols often resides within un-migrated, unaudited legacy contracts.

smart contract flaw, infinite mint logic, token minting exploit, stable-swap pool drain, liquidity pool compromise, asset integrity failure, flash loan attack, economic vulnerability, on-chain forensic data, governance risk proposal, legacy contract exposure, liquid staking token, DeFi security incident, protocol risk management, token accounting error Signal Acquired from → tradingview.com

Micro Crypto News Feeds

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

attack surface

Definition ∞ An attack surface represents the sum of all possible points where an unauthorized user can attempt to access or extract data from a system.

privacy mixer

Definition ∞ A privacy mixer is a service designed to obscure the transaction history of cryptocurrencies.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

amount

Definition ∞ Amount signifies a quantified measure of value, volume, or quantity, typically referring to digital assets or fiat currency within transactions.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

protocols

Definition ∞ 'Protocols' are sets of rules that govern how data is transmitted and managed across networks.

Tags:

Tags: