Legacy Yearn Pool Drained Exploiting Infinite Token Minting Flaw → Security

An abstract, three-dimensional construct displays an intricate arrangement of deep blue, blocky elements, textured silver cylinders, and transparent, crystalline blue components. Rough, translucent icy material encases some silver parts, creating a dynamic interplay of textures and forms

A high-resolution image captures a complex metallic mechanism featuring a glowing blue spherical core, partially submerged in a field of transparent bubbles. The intricate silver-toned components are illuminated by the internal blue light, creating a futuristic and dynamic scene

Briefing

The Yearn Finance legacy yETH stableswap pool suffered a critical logic exploit, resulting in a loss of approximately $9 million in underlying assets. This incident was triggered by an attacker exploiting a flaw in the pool’s custom minting function, which allowed the creation of a virtually unlimited supply of yETH tokens in a single transaction. The core consequence was the immediate destabilization of the pool’s token structure, enabling the attacker to drain real staked ETH assets across multiple integrated pools, with the total financial impact confirmed at over $9 million.

The image presents a detailed view of a high-tech apparatus featuring metallic and translucent blue elements, with clear blue water actively splashing and flowing around its intricate parts. Bright blue light glows from within the mechanism, emphasizing its dynamic and complex internal workings

Context

Before this incident, the risk associated with legacy, unaudited, or custom-forked smart contract logic was a known systemic vulnerability within the DeFi ecosystem. The attack surface was defined by older pool designs that often relied on complex, non-standard arithmetic for share price calculation, a class of vulnerability frequently overlooked in post-migration security reviews. This pre-existing posture allowed a logic flaw to persist in the pool’s mint function, creating a high-leverage attack vector that bypassed standard security assumptions.

The image displays an abstract winter scene featuring various geometric shapes, birch logs, and spheres, all partially covered in snow and reflected on a pristine surface. Dominant colors are deep blue and white, creating a clean, modern aesthetic

Analysis

The attack vector was a precision-based arithmetic flaw within the legacy yETH pool’s mint function, specifically how it calculated the share price upon deposit. The attacker executed a transaction that manipulated the pool’s internal accounting, enabling the minting of an excessive quantity of yETH tokens for a minimal deposit. By artificially inflating their yETH balance, the attacker then redeemed these tokens for a disproportionately large share of the pool’s underlying assets, effectively draining the staked ETH. This was a direct compromise of the smart contract’s core logic, not an external oracle or private key breach.

A prominent blue faceted object, resembling a polished crystal, is situated within a foamy, dark blue liquid on a dark display screen. The screen beneath illuminates with bright blue data visualizations, depicting graphs and grid lines, all resting on a sleek, multi-tiered metallic base

Parameters

Total Funds Drained → $9 Million (Total loss across the main yETH stableswap pool and the associated Curve pool).
Vulnerability Type → Infinite Token Minting Logic Flaw (Exploit of the custom share price calculation in the legacy contract).
Affected Asset Class → Liquid Staking Tokens (Underlying assets included wstETH, rETH, and cbETH).
Protocol Status → Router Paused, New Contract Deployed (Immediate mitigation steps taken by the core team).

A pristine white sphere, resembling a valuable digital asset, is suspended within a vibrant, translucent blue structure. This structure, reminiscent of frozen liquid or crystalline data, is partially adorned with white, textured frost along its edges, creating a sense of depth and complexity

Outlook

Immediate mitigation requires all protocols utilizing legacy or custom-forked stableswap logic to conduct an emergency review of their share price calculation and minting functions. The second-order effect is a renewed focus on “stale” contract risk, where older, less-used contracts become high-value targets after a protocol’s main focus shifts to newer versions. This incident establishes the need for continuous, automated monitoring of all deployed contracts, regardless of their current TVL, and mandates immediate compensation to maintain user trust.

A close-up view reveals multiple translucent blue gears meshing with silver metallic components, forming an intricate mechanical assembly. The blue gears, with their faceted surfaces, suggest advanced digital processes and programmatic logic

Verdict

The exploit confirms that logic flaws in legacy DeFi contracts remain a high-severity, high-impact threat, necessitating comprehensive sunsetting and formal verification of all retired codebases.

Token minting logic, Stableswap pool exploit, Infinite token issuance, Protocol insolvency risk, Legacy contract vulnerability, DeFi smart contract, Liquidity pool drain, Arithmetic logic flaw, Token share price, On-chain forensic analysis Signal Acquired from → tradingview.com