Security

Legacy Staking Pool Exploited via Synthetic Token Inflation Logic

A flaw in the custom stableswap pool's token accounting allowed the attacker to mint unlimited synthetic assets, draining $9M in liquid staking collateral.
December 1, 20253 min

A close-up reveals a futuristic apparatus composed of translucent blue chambers filled with bubbling liquid, integrated with polished silver-grey mechanical structures. Hexagonal internal frameworks are visible within the clear liquid, creating a dynamic and complex visual representation of advanced engineering
A detailed view shows an intricate, silver-toned mechanical or electronic component partially submerged in a vibrant, translucent blue liquid, adorned with numerous white bubbles. The metallic structure features precise geometric patterns and exposed internal elements, suggesting advanced engineering

Briefing

A critical vulnerability in a legacy yETH stableswap pool contract resulted in a $9 million theft of liquid staking assets. The exploit leveraged a flaw in the token’s minting logic, enabling the attacker to create an unlimited supply of synthetic yETH. This inflated token supply was then used to systematically drain the underlying ETH and liquid staking tokens from the associated Balancer and Curve pools. The incident highlights the persistent risk posed by deprecated or custom-coded smart contracts, with approximately $3 million of the stolen funds immediately laundered through a crypto mixer.

A close-up view reveals a transparent, futuristic apparatus containing a vibrant blue liquid filled with a dense array of uniform bubbles. Internal illuminated blue lines suggest intricate circuitry or data pathways within the fluid, set against a blurred light gray background

Context

The affected contract was a custom implementation of a popular stableswap mechanism, designed to aggregate liquid staking tokens. Despite the protocol’s migration to newer, audited V2 and V3 vaults, this older, isolated contract remained operational with significant Total Value Locked. This architecture created a vulnerable perimeter → a single, legacy smart contract with an inherent mathematical error was left exposed, circumventing the security posture of the main protocol.

A highly detailed render showcases a central metallic cylindrical object, intricately designed with internal spokes. This core component is partially enveloped by a dynamic blue liquid-like substance and a textured white granular material, resembling frost or accumulated particles

Analysis

The attacker executed a multi-step transaction by first targeting the yETH token’s mint function. The underlying logic contained a mathematical error that failed to correctly account for the value of the deposited collateral, allowing the minting of an estimated 235 trillion yETH tokens without adequate backing. The attacker then used this massively inflated supply of synthetic yETH to swap for and drain the real assets (wstETH, rETH, cbETH) from the linked Balancer and Curve liquidity pools in a single, atomic transaction. The success was due to the pools treating the newly minted yETH as valid collateral, effectively turning a token logic flaw into a total pool drain.

Abstract, sleek white and transparent metallic structures dynamically interact with a vibrant blue granular substrate, creating a splash effect and reflecting on a rippled, deep blue liquid surface. The background features a subtle mist, enhancing the futuristic and impactful scene

Parameters

  • Total Loss Valuation → ~$9 Million USD (Total assets drained from the affected pools).
  • Minted Token Count → 235 Trillion yETH (Synthetic tokens created in the exploit).
  • Laundered Funds → ~$3 Million USD (Amount immediately sent to Tornado Cash).
  • Affected Asset TypeLiquid Staking Tokens (The underlying collateral drained, including wstETH and rETH).

A central mass of deep blue, textured material is partially covered and intermingled with a lighter, almost white, powdery substance. This formation is cradled within a polished, metallic structure composed of parallel bars and supports

Outlook

Protocols must immediately conduct a comprehensive audit of all legacy, custom, or deprecated contracts, especially those with non-standard token accounting or pool logic. Users must migrate funds from older, non-core pools to V3 vaults or similar, actively maintained products. This incident establishes a new best practice → all contracts, regardless of their operational status, must be formally decommissioned or subjected to the same rigorous, ongoing security monitoring as core systems to prevent systemic risk from perimeter flaws.

The image displays a collection of crystalline and spherical objects arranged on a textured blue landmass, partially submerged in calm, reflective water. A large, frosted blue crystal dominates the left, accompanied by a smooth white sphere and smaller blue and white crystalline forms

Verdict

The exploit of a legacy contract via an infinite minting flaw confirms that perimeter security vulnerabilities in deprecated DeFi infrastructure pose an existential threat to user capital.

smart contract flaw, infinite minting, synthetic asset, stableswap pool, token inflation, legacy contract, liquid staking, pool drain, asset theft, defi security, onchain exploit, custom logic, token accounting, perimeter risk, smart contract audit Signal Acquired from → dlnews.com

Micro Crypto News Feeds

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

mathematical error

Definition ∞ A mathematical error within a blockchain protocol or smart contract refers to a flaw in its underlying algorithms or calculations.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

funds

Definition ∞ Funds, in the context of digital assets, refer to pools of capital pooled together for investment in cryptocurrencies, tokens, or other digital ventures.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

Tags:

Tags: