Security

Legacy DeFi Pool Drained Exploiting Smart Contract Infinite Mint Logic

A logic flaw in a deprecated stable-swap contract enabled the adversarial minting of infinite tokens, compromising asset integrity and draining $9 million in LST collateral.
December 1, 20253 min

A close-up view reveals a transparent, multi-chambered mechanism containing distinct white granular material actively moving over a textured blue base. The white substance appears agitated and flowing, guided by the clear structural elements, with a circular metallic component visible within the blue substrate
The image displays a 3D rendering of a complex molecular structure, predominantly in translucent blue. It features numerous spherical nodes connected by rod-like links, with a central, irregular, liquid-like mass dynamically forming

Briefing

The Yearn Finance protocol suffered a critical economic exploit on its legacy yETH stable-swap pool, resulting in a loss of approximately $9 million in various liquid staking tokens (LSTs). The primary consequence was the complete depletion of the affected pool’s liquidity, directly impacting users who had deposited assets into the older yETH product. Forensic analysis confirms the attack vector was a logic flaw that allowed the malicious minting of a near-infinite number of fake yETH tokens, enabling the attacker to withdraw real underlying assets in a single, complex transaction. This incident underscores the disproportionate risk presented by deprecated smart contracts within mature DeFi ecosystems.

A textured, spherical core glows with intense blue light emanating from internal fissures and surface points. This central orb is embedded within a dense, futuristic matrix of transparent blue and polished silver geometric structures, creating a highly detailed technological landscape

Context

The security posture of many multi-vault DeFi protocols remains exposed to risks within legacy or custom-built contracts that were not subjected to the same rigorous, post-flash-loan-era auditing standards. This vulnerability class is often found in bespoke token logic, where the internal accounting or minting function of a stable-swap pool is not sufficiently protected against an adversarial input. The incident confirms that a protocol’s main, active vaults can be 100% secure while older, un-migrated contracts represent a critical, unaddressed attack surface.

A close-up reveals an intricate mechanical system featuring two modular units, with the foreground unit exposing precision gears, metallic plates, and a central white geometric component within a brushed metal casing. Multi-colored wires connect the modules, which are integrated into a blue structural frame alongside additional mechanical components and a ribbed metallic adjustment knob

Analysis

The attacker compromised a custom stable-swap pool by exploiting a flaw in its internal minting logic related to the yETH token. The core mechanism involved supplying a minimal amount of collateral to the pool, then manipulating the contract’s internal state to trick it into calculating an arbitrarily large, near-infinite amount of new yETH tokens for the attacker. With these newly minted, valueless tokens, the attacker then withdrew the pool’s real, valuable collateral → primarily wstETH, rETH, and cbETH → before quickly bridging and laundering a significant portion of the stolen funds via a privacy mixer. The success of the exploit hinged on the contract’s failure to properly validate the input and output amounts during the token minting process.

The image displays a futuristic, abstract mechanical assembly, characterized by translucent blue and opaque white components with metallic accents, set against a smooth gray background. Two primary structural elements, angled dynamically, appear to connect or disconnect around a central, glowing spherical component

Parameters

  • Total Loss → $9 Million – The approximate total value of assets drained from the legacy yETH pools.
  • Vulnerability Type → Infinite Mint Logic Flaw – A critical bug in the stable-swap contract’s accounting for new token issuance.
  • Affected Product → Legacy yETH Pool – The specific, older version of the yETH product that was compromised.
  • Laundered Funds → $3 Million – The approximate amount of stolen ETH moved to a privacy mixer.

A close-up view displays a dense network of interwoven, deep blue granular structures, accented by bright blue cables and metallic silver circular components. These elements create an abstract yet highly detailed representation of complex digital infrastructure

Outlook

Protocols utilizing custom or legacy smart contract logic, especially those involving token minting and liquid staking tokens (LSTs), must immediately initiate a comprehensive, third-party audit of all non-standard functions. For users, the immediate action is to migrate funds out of any deprecated or legacy pools, as these represent a disproportionate attack surface. This exploit will likely set a new best practice for LST pool design, mandating formal verification of all minting and withdrawal logic to prevent similar economic attacks and contain contagion risk to other DeFi protocols with similar contract architectures.

The image displays a finely detailed metallic component, possibly a gear or a critical cryptographic primitive, centrally positioned and in sharp focus. This mechanism is partially encased by a flowing, translucent light blue substance, which forms organic, wave-like structures around it, receding into a softer blur in the background

Verdict

This $9 million exploit serves as a definitive operational warning that the greatest systemic risk in mature DeFi protocols often resides within un-migrated, unaudited legacy contracts.

smart contract flaw, infinite mint logic, token minting exploit, stable-swap pool drain, liquidity pool compromise, asset integrity failure, flash loan attack, economic vulnerability, on-chain forensic data, governance risk proposal, legacy contract exposure, liquid staking token, DeFi security incident, protocol risk management, token accounting error Signal Acquired from → tradingview.com

Micro Crypto News Feeds

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

attack surface

Definition ∞ An attack surface represents the sum of all possible points where an unauthorized user can attempt to access or extract data from a system.

privacy mixer

Definition ∞ A privacy mixer is a service designed to obscure the transaction history of cryptocurrencies.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

amount

Definition ∞ Amount signifies a quantified measure of value, volume, or quantity, typically referring to digital assets or fiat currency within transactions.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

protocols

Definition ∞ 'Protocols' are sets of rules that govern how data is transmitted and managed across networks.

Tags:

Tags: