Security

Legacy Yearn Pool Drained Exploiting Infinite Token Minting Flaw

A logic flaw in the legacy stableswap mint function enabled infinite token issuance, creating a systemic risk for all integrated liquidity pools.
December 5, 20253 min

A high-resolution image captures a complex metallic mechanism featuring a glowing blue spherical core, partially submerged in a field of transparent bubbles. The intricate silver-toned components are illuminated by the internal blue light, creating a futuristic and dynamic scene
The image showcases a series of transparent, bulbous containers partially filled with a textured, deep blue substance, interconnected by slender metallic wires and capped with cylindrical silver components. The foreground elements are sharply focused, while the background blurs into a soft grey, emphasizing the intricate central arrangement

Briefing

The Yearn Finance legacy yETH stableswap pool suffered a critical logic exploit, resulting in a loss of approximately $9 million in underlying assets. This incident was triggered by an attacker exploiting a flaw in the pool’s custom minting function, which allowed the creation of a virtually unlimited supply of yETH tokens in a single transaction. The core consequence was the immediate destabilization of the pool’s token structure, enabling the attacker to drain real staked ETH assets across multiple integrated pools, with the total financial impact confirmed at over $9 million.

A sleek, silver-toned metallic mechanism is partially submerged in a vibrant, glowing blue liquid, surrounded by white foam. The central component features angular, robust designs, reflecting light and depth from the luminous blue substance, creating a sense of advanced engineering

Context

Before this incident, the risk associated with legacy, unaudited, or custom-forked smart contract logic was a known systemic vulnerability within the DeFi ecosystem. The attack surface was defined by older pool designs that often relied on complex, non-standard arithmetic for share price calculation, a class of vulnerability frequently overlooked in post-migration security reviews. This pre-existing posture allowed a logic flaw to persist in the pool’s mint function, creating a high-leverage attack vector that bypassed standard security assumptions.

Two intricately designed metallic gears, featuring prominent splined teeth, are captured in a dynamic close-up. A luminous, translucent blue liquid actively flows around and through their engaging surfaces, creating a sense of constant motion and interaction, highlighting the precision of their connection

Analysis

The attack vector was a precision-based arithmetic flaw within the legacy yETH pool’s mint function, specifically how it calculated the share price upon deposit. The attacker executed a transaction that manipulated the pool’s internal accounting, enabling the minting of an excessive quantity of yETH tokens for a minimal deposit. By artificially inflating their yETH balance, the attacker then redeemed these tokens for a disproportionately large share of the pool’s underlying assets, effectively draining the staked ETH. This was a direct compromise of the smart contract’s core logic, not an external oracle or private key breach.

A polished silver toroidal structure rests alongside a sculpted, translucent sapphire-blue form, revealing an intricate mechanical watch movement. The objects are presented on a minimalist light grey background, highlighting their forms and internal details

Parameters

  • Total Funds Drained → $9 Million (Total loss across the main yETH stableswap pool and the associated Curve pool).
  • Vulnerability TypeInfinite Token Minting Logic Flaw (Exploit of the custom share price calculation in the legacy contract).
  • Affected Asset Class → Liquid Staking Tokens (Underlying assets included wstETH, rETH, and cbETH).
  • Protocol Status → Router Paused, New Contract Deployed (Immediate mitigation steps taken by the core team).

This detailed render showcases a sophisticated, spherical computing module with interlocking metallic and white composite panels. A vibrant, bubbling blue liquid sphere is integrated at the top, while a granular white-rimmed aperture reveals a glowing blue core at the front

Outlook

Immediate mitigation requires all protocols utilizing legacy or custom-forked stableswap logic to conduct an emergency review of their share price calculation and minting functions. The second-order effect is a renewed focus on “stale” contract risk, where older, less-used contracts become high-value targets after a protocol’s main focus shifts to newer versions. This incident establishes the need for continuous, automated monitoring of all deployed contracts, regardless of their current TVL, and mandates immediate compensation to maintain user trust.

A prominent, textured white sphere, resembling a celestial body, is centrally positioned, encircled by a reflective silver ring and delicate white orbital lines. Surrounding this core are voluminous, cloud-like formations in varying shades of blue and white, along with smaller blue spheres and a distinct blue cube, all contained within a larger, reflective metallic structure

Verdict

The exploit confirms that logic flaws in legacy DeFi contracts remain a high-severity, high-impact threat, necessitating comprehensive sunsetting and formal verification of all retired codebases.

Token minting logic, Stableswap pool exploit, Infinite token issuance, Protocol insolvency risk, Legacy contract vulnerability, DeFi smart contract, Liquidity pool drain, Arithmetic logic flaw, Token share price, On-chain forensic analysis Signal Acquired from → tradingview.com

Micro Crypto News Feeds

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

share price

Definition ∞ Share price represents the current market value of a single unit of ownership in a company or digital asset that is publicly traded.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: