Security

Legacy Staking Pool Exploited via Synthetic Token Inflation Logic

A flaw in the custom stableswap pool's token accounting allowed the attacker to mint unlimited synthetic assets, draining $9M in liquid staking collateral.
December 1, 20253 min

A vibrant blue, translucent liquid forms a dynamic, upward-spiraling column, emanating from a polished metallic apparatus. The apparatus's dark surface is illuminated by glowing blue lines resembling complex circuit pathways, suggesting advanced technological integration and a futuristic design aesthetic
Intricate metallic structures are visibly submerged within a luminous, effervescent blue fluid, forming the operational heart of a sophisticated mechanism. Cylindrical components and precise gearing elements are partially visible in the background, hinting at complex internal dynamics

Briefing

A critical vulnerability in a legacy yETH stableswap pool contract resulted in a $9 million theft of liquid staking assets. The exploit leveraged a flaw in the token’s minting logic, enabling the attacker to create an unlimited supply of synthetic yETH. This inflated token supply was then used to systematically drain the underlying ETH and liquid staking tokens from the associated Balancer and Curve pools. The incident highlights the persistent risk posed by deprecated or custom-coded smart contracts, with approximately $3 million of the stolen funds immediately laundered through a crypto mixer.

A close-up reveals a futuristic apparatus composed of translucent blue chambers filled with bubbling liquid, integrated with polished silver-grey mechanical structures. Hexagonal internal frameworks are visible within the clear liquid, creating a dynamic and complex visual representation of advanced engineering

Context

The affected contract was a custom implementation of a popular stableswap mechanism, designed to aggregate liquid staking tokens. Despite the protocol’s migration to newer, audited V2 and V3 vaults, this older, isolated contract remained operational with significant Total Value Locked. This architecture created a vulnerable perimeter → a single, legacy smart contract with an inherent mathematical error was left exposed, circumventing the security posture of the main protocol.

A white, textured sphere rests within a dynamic, translucent blue, fluid-like structure, set against a light grey background. The blue form exhibits complex ripples and varying opacities, appearing to cradle the sphere

Analysis

The attacker executed a multi-step transaction by first targeting the yETH token’s mint function. The underlying logic contained a mathematical error that failed to correctly account for the value of the deposited collateral, allowing the minting of an estimated 235 trillion yETH tokens without adequate backing. The attacker then used this massively inflated supply of synthetic yETH to swap for and drain the real assets (wstETH, rETH, cbETH) from the linked Balancer and Curve liquidity pools in a single, atomic transaction. The success was due to the pools treating the newly minted yETH as valid collateral, effectively turning a token logic flaw into a total pool drain.

A modern office workspace, characterized by a sleek white desk, ergonomic chairs, and dual computer monitors, is dramatically transformed by a powerful, cloud-like wave and icy mountain formations. This dynamic scene flows into a reflective water surface, with concentric metallic rings forming a tunnel-like structure in the background

Parameters

  • Total Loss Valuation → ~$9 Million USD (Total assets drained from the affected pools).
  • Minted Token Count → 235 Trillion yETH (Synthetic tokens created in the exploit).
  • Laundered Funds → ~$3 Million USD (Amount immediately sent to Tornado Cash).
  • Affected Asset TypeLiquid Staking Tokens (The underlying collateral drained, including wstETH and rETH).

A pristine white sphere, resembling a valuable digital asset, is suspended within a vibrant, translucent blue structure. This structure, reminiscent of frozen liquid or crystalline data, is partially adorned with white, textured frost along its edges, creating a sense of depth and complexity

Outlook

Protocols must immediately conduct a comprehensive audit of all legacy, custom, or deprecated contracts, especially those with non-standard token accounting or pool logic. Users must migrate funds from older, non-core pools to V3 vaults or similar, actively maintained products. This incident establishes a new best practice → all contracts, regardless of their operational status, must be formally decommissioned or subjected to the same rigorous, ongoing security monitoring as core systems to prevent systemic risk from perimeter flaws.

The image displays a transparent, ring-like structure containing a textured, frothy blue substance. A white spherical object is suspended centrally, with a thin stream of clear liquid flowing over the blue substance and around the sphere

Verdict

The exploit of a legacy contract via an infinite minting flaw confirms that perimeter security vulnerabilities in deprecated DeFi infrastructure pose an existential threat to user capital.

smart contract flaw, infinite minting, synthetic asset, stableswap pool, token inflation, legacy contract, liquid staking, pool drain, asset theft, defi security, onchain exploit, custom logic, token accounting, perimeter risk, smart contract audit Signal Acquired from → dlnews.com

Micro Crypto News Feeds

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

mathematical error

Definition ∞ A mathematical error within a blockchain protocol or smart contract refers to a flaw in its underlying algorithms or calculations.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

funds

Definition ∞ Funds, in the context of digital assets, refer to pools of capital pooled together for investment in cryptocurrencies, tokens, or other digital ventures.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

Tags:

Tags: