Security

Legacy DeFi Pool Drained Exploiting Smart Contract Infinite Mint Logic

A logic flaw in a deprecated stable-swap contract enabled the adversarial minting of infinite tokens, compromising asset integrity and draining $9 million in LST collateral.
December 1, 20253 min

A close-up view captures an abstract, high-tech mechanism with vibrant blue, translucent energy flowing through intricate silver metallic components. White, granular particles effervesce around the central conduit, suggesting a dynamic transformation
A polished silver toroidal structure rests alongside a sculpted, translucent sapphire-blue form, revealing an intricate mechanical watch movement. The objects are presented on a minimalist light grey background, highlighting their forms and internal details

Briefing

The Yearn Finance protocol suffered a critical economic exploit on its legacy yETH stable-swap pool, resulting in a loss of approximately $9 million in various liquid staking tokens (LSTs). The primary consequence was the complete depletion of the affected pool’s liquidity, directly impacting users who had deposited assets into the older yETH product. Forensic analysis confirms the attack vector was a logic flaw that allowed the malicious minting of a near-infinite number of fake yETH tokens, enabling the attacker to withdraw real underlying assets in a single, complex transaction. This incident underscores the disproportionate risk presented by deprecated smart contracts within mature DeFi ecosystems.

A futuristic rendering displays a complex mechanical assembly featuring polished metallic shafts and intricate cylindrical structures. These components are partially enveloped by a vibrant, translucent blue fluid-like substance, suggesting dynamic interaction and energy transfer

Context

The security posture of many multi-vault DeFi protocols remains exposed to risks within legacy or custom-built contracts that were not subjected to the same rigorous, post-flash-loan-era auditing standards. This vulnerability class is often found in bespoke token logic, where the internal accounting or minting function of a stable-swap pool is not sufficiently protected against an adversarial input. The incident confirms that a protocol’s main, active vaults can be 100% secure while older, un-migrated contracts represent a critical, unaddressed attack surface.

The image displays abstract sculptural forms on a light blue-grey background, featuring a large, textured blue gradient object alongside smooth white and dark blue flowing elements and two spheres. This composition visually interprets complex interdependencies within a blockchain ecosystem

Analysis

The attacker compromised a custom stable-swap pool by exploiting a flaw in its internal minting logic related to the yETH token. The core mechanism involved supplying a minimal amount of collateral to the pool, then manipulating the contract’s internal state to trick it into calculating an arbitrarily large, near-infinite amount of new yETH tokens for the attacker. With these newly minted, valueless tokens, the attacker then withdrew the pool’s real, valuable collateral → primarily wstETH, rETH, and cbETH → before quickly bridging and laundering a significant portion of the stolen funds via a privacy mixer. The success of the exploit hinged on the contract’s failure to properly validate the input and output amounts during the token minting process.

A translucent, irregularly shaped object, covered in numerous water droplets, reveals a deep blue interior and a smooth, light-colored central opening. The object's surface exhibits a textured, almost frosted appearance due to the condensation, contrasting with the vibrant, uniform blue within

Parameters

  • Total Loss → $9 Million – The approximate total value of assets drained from the legacy yETH pools.
  • Vulnerability Type → Infinite Mint Logic Flaw – A critical bug in the stable-swap contract’s accounting for new token issuance.
  • Affected Product → Legacy yETH Pool – The specific, older version of the yETH product that was compromised.
  • Laundered Funds → $3 Million – The approximate amount of stolen ETH moved to a privacy mixer.

Central to the image is a metallic core flanked by translucent blue, geometric components, all surrounded by a vibrant, frothy white substance. These elements combine to depict an intricate digital process

Outlook

Protocols utilizing custom or legacy smart contract logic, especially those involving token minting and liquid staking tokens (LSTs), must immediately initiate a comprehensive, third-party audit of all non-standard functions. For users, the immediate action is to migrate funds out of any deprecated or legacy pools, as these represent a disproportionate attack surface. This exploit will likely set a new best practice for LST pool design, mandating formal verification of all minting and withdrawal logic to prevent similar economic attacks and contain contagion risk to other DeFi protocols with similar contract architectures.

A striking abstract composition features a luminous, translucent blue mass, appearing fluid and organic, intricately contained within a complex web of silver-grey metallic wires. The background is a soft, neutral grey, highlighting the central object's vibrant blue and metallic sheen

Verdict

This $9 million exploit serves as a definitive operational warning that the greatest systemic risk in mature DeFi protocols often resides within un-migrated, unaudited legacy contracts.

smart contract flaw, infinite mint logic, token minting exploit, stable-swap pool drain, liquidity pool compromise, asset integrity failure, flash loan attack, economic vulnerability, on-chain forensic data, governance risk proposal, legacy contract exposure, liquid staking token, DeFi security incident, protocol risk management, token accounting error Signal Acquired from → tradingview.com

Micro Crypto News Feeds

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

attack surface

Definition ∞ An attack surface represents the sum of all possible points where an unauthorized user can attempt to access or extract data from a system.

privacy mixer

Definition ∞ A privacy mixer is a service designed to obscure the transaction history of cryptocurrencies.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

amount

Definition ∞ Amount signifies a quantified measure of value, volume, or quantity, typically referring to digital assets or fiat currency within transactions.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

protocols

Definition ∞ 'Protocols' are sets of rules that govern how data is transmitted and managed across networks.

Tags:

Tags: