Security

Legacy Staking Pool Exploited via Synthetic Token Inflation Logic

A flaw in the custom stableswap pool's token accounting allowed the attacker to mint unlimited synthetic assets, draining $9M in liquid staking collateral.
December 1, 20253 min

A vibrant blue, translucent fluid with a glossy surface is extensively covered by white, effervescent foam, creating a dynamic, organic shape. Embedded within the blue liquid and foam is a clear, angular, crystalline structure, housing a dark, perfectly spherical object at its core
The image features two sleek, white, modular cylindrical structures, appearing to connect or interact dynamically, with a bright blue energy core and translucent blue liquid splashes emanating from their interface. The mechanical components are partially submerged in or surrounded by the splashing liquid, suggesting active data transfer or energy flow

Briefing

A critical vulnerability in a legacy yETH stableswap pool contract resulted in a $9 million theft of liquid staking assets. The exploit leveraged a flaw in the token’s minting logic, enabling the attacker to create an unlimited supply of synthetic yETH. This inflated token supply was then used to systematically drain the underlying ETH and liquid staking tokens from the associated Balancer and Curve pools. The incident highlights the persistent risk posed by deprecated or custom-coded smart contracts, with approximately $3 million of the stolen funds immediately laundered through a crypto mixer.

The composition features a prominent clear, textured structure alongside a flowing blue substance and a smooth white sphere, set against a granular dark blue surface. This abstract visualization meticulously portrays the intricate layers of a blockchain network

Context

The affected contract was a custom implementation of a popular stableswap mechanism, designed to aggregate liquid staking tokens. Despite the protocol’s migration to newer, audited V2 and V3 vaults, this older, isolated contract remained operational with significant Total Value Locked. This architecture created a vulnerable perimeter → a single, legacy smart contract with an inherent mathematical error was left exposed, circumventing the security posture of the main protocol.

The image displays a close-up of a high-tech hardware assembly, featuring intricately shaped, translucent blue liquid cooling conduits flowing over metallic components. Clear tubing and wiring connect various modules on a polished, silver-grey chassis, revealing a complex internal architecture

Analysis

The attacker executed a multi-step transaction by first targeting the yETH token’s mint function. The underlying logic contained a mathematical error that failed to correctly account for the value of the deposited collateral, allowing the minting of an estimated 235 trillion yETH tokens without adequate backing. The attacker then used this massively inflated supply of synthetic yETH to swap for and drain the real assets (wstETH, rETH, cbETH) from the linked Balancer and Curve liquidity pools in a single, atomic transaction. The success was due to the pools treating the newly minted yETH as valid collateral, effectively turning a token logic flaw into a total pool drain.

A detailed close-up reveals a sleek, futuristic device featuring polished silver-toned metallic components and a vibrant, translucent blue liquid chamber. White, frothy foam overflows from the top and sides of the blue liquid, which is visibly agitated with numerous small bubbles, suggesting a dynamic process

Parameters

  • Total Loss Valuation → ~$9 Million USD (Total assets drained from the affected pools).
  • Minted Token Count → 235 Trillion yETH (Synthetic tokens created in the exploit).
  • Laundered Funds → ~$3 Million USD (Amount immediately sent to Tornado Cash).
  • Affected Asset TypeLiquid Staking Tokens (The underlying collateral drained, including wstETH and rETH).

A visually striking abstract composition features translucent, textured liquid and vibrant blue liquid flowing around and through segmented, gear-like mechanical components. The central structure, rendered with metallic and blue elements, appears suspended against a smooth, light grey gradient background

Outlook

Protocols must immediately conduct a comprehensive audit of all legacy, custom, or deprecated contracts, especially those with non-standard token accounting or pool logic. Users must migrate funds from older, non-core pools to V3 vaults or similar, actively maintained products. This incident establishes a new best practice → all contracts, regardless of their operational status, must be formally decommissioned or subjected to the same rigorous, ongoing security monitoring as core systems to prevent systemic risk from perimeter flaws.

A modern office workspace, characterized by a sleek white desk, ergonomic chairs, and dual computer monitors, is dramatically transformed by a powerful, cloud-like wave and icy mountain formations. This dynamic scene flows into a reflective water surface, with concentric metallic rings forming a tunnel-like structure in the background

Verdict

The exploit of a legacy contract via an infinite minting flaw confirms that perimeter security vulnerabilities in deprecated DeFi infrastructure pose an existential threat to user capital.

smart contract flaw, infinite minting, synthetic asset, stableswap pool, token inflation, legacy contract, liquid staking, pool drain, asset theft, defi security, onchain exploit, custom logic, token accounting, perimeter risk, smart contract audit Signal Acquired from → dlnews.com

Micro Crypto News Feeds

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

mathematical error

Definition ∞ A mathematical error within a blockchain protocol or smart contract refers to a flaw in its underlying algorithms or calculations.

collateral

Definition ∞ Collateral refers to an asset pledged by a borrower to a lender as security for a loan.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

funds

Definition ∞ Funds, in the context of digital assets, refer to pools of capital pooled together for investment in cryptocurrencies, tokens, or other digital ventures.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

security

Definition ∞ Security refers to the measures and protocols designed to protect assets, networks, and data from unauthorized access, theft, or damage.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

Tags:

Tags: