Legacy Yearn Pool Drained Exploiting Infinite Token Minting Flaw → Security

A translucent, irregularly shaped object, covered in numerous water droplets, reveals a deep blue interior and a smooth, light-colored central opening. The object's surface exhibits a textured, almost frosted appearance due to the condensation, contrasting with the vibrant, uniform blue within

$A complex, abstract structure of clear, reflective material features intertwined and layered forms, surrounding a vibrant blue, spherical core. Light reflects and refracts across its surfaces, creating a sense of depth and transparency$

Briefing

The Yearn Finance legacy yETH stableswap pool suffered a critical logic exploit, resulting in a loss of approximately $9 million in underlying assets. This incident was triggered by an attacker exploiting a flaw in the pool’s custom minting function, which allowed the creation of a virtually unlimited supply of yETH tokens in a single transaction. The core consequence was the immediate destabilization of the pool’s token structure, enabling the attacker to drain real staked ETH assets across multiple integrated pools, with the total financial impact confirmed at over $9 million.

A sleek, modular white structure, resembling a sophisticated decentralized protocol, rests partially submerged in luminous blue water. A powerful stream of water, indicative of digital assets, actively gushes from its core conduit, creating dynamic splashes and ripples

Context

Before this incident, the risk associated with legacy, unaudited, or custom-forked smart contract logic was a known systemic vulnerability within the DeFi ecosystem. The attack surface was defined by older pool designs that often relied on complex, non-standard arithmetic for share price calculation, a class of vulnerability frequently overlooked in post-migration security reviews. This pre-existing posture allowed a logic flaw to persist in the pool’s mint function, creating a high-leverage attack vector that bypassed standard security assumptions.

A detailed close-up reveals an abstract, three-dimensional structure composed of numerous interconnected blue and grey electronic circuit board components. The intricate design forms a hollow, almost skeletal framework, showcasing complex digital pathways and integrated chips

Analysis

The attack vector was a precision-based arithmetic flaw within the legacy yETH pool’s mint function, specifically how it calculated the share price upon deposit. The attacker executed a transaction that manipulated the pool’s internal accounting, enabling the minting of an excessive quantity of yETH tokens for a minimal deposit. By artificially inflating their yETH balance, the attacker then redeemed these tokens for a disproportionately large share of the pool’s underlying assets, effectively draining the staked ETH. This was a direct compromise of the smart contract’s core logic, not an external oracle or private key breach.

This detailed render showcases a sophisticated, spherical computing module with interlocking metallic and white composite panels. A vibrant, bubbling blue liquid sphere is integrated at the top, while a granular white-rimmed aperture reveals a glowing blue core at the front

Parameters

Total Funds Drained → $9 Million (Total loss across the main yETH stableswap pool and the associated Curve pool).
Vulnerability Type → Infinite Token Minting Logic Flaw (Exploit of the custom share price calculation in the legacy contract).
Affected Asset Class → Liquid Staking Tokens (Underlying assets included wstETH, rETH, and cbETH).
Protocol Status → Router Paused, New Contract Deployed (Immediate mitigation steps taken by the core team).

A prominent blue faceted object, resembling a polished crystal, is situated within a foamy, dark blue liquid on a dark display screen. The screen beneath illuminates with bright blue data visualizations, depicting graphs and grid lines, all resting on a sleek, multi-tiered metallic base

Outlook

Immediate mitigation requires all protocols utilizing legacy or custom-forked stableswap logic to conduct an emergency review of their share price calculation and minting functions. The second-order effect is a renewed focus on “stale” contract risk, where older, less-used contracts become high-value targets after a protocol’s main focus shifts to newer versions. This incident establishes the need for continuous, automated monitoring of all deployed contracts, regardless of their current TVL, and mandates immediate compensation to maintain user trust.

A detailed view presents a sophisticated array of blue and metallic silver modular components, intricately assembled with transparent elements and glowing blue internal conduits. A central, effervescent spherical cluster of particles is prominently featured, appearing to be generated from or integrated into a clear channel

Verdict

The exploit confirms that logic flaws in legacy DeFi contracts remain a high-severity, high-impact threat, necessitating comprehensive sunsetting and formal verification of all retired codebases.

Token minting logic, Stableswap pool exploit, Infinite token issuance, Protocol insolvency risk, Legacy contract vulnerability, DeFi smart contract, Liquidity pool drain, Arithmetic logic flaw, Token share price, On-chain forensic analysis Signal Acquired from → tradingview.com