Legacy Yearn Pool Drained Exploiting Infinite Token Minting Flaw → Security

A sharp, metallic, silver-grey structure, partially covered in white snow, emerges from a vibrant blue, textured mass, itself snow-dusted and resting in calm, rippling water. Another smaller, similar blue and white formation is visible to the left, all set against a soft, cloudy sky

A futuristic white and metallic apparatus forcefully discharges a vivid blue liquid stream, creating dynamic splashes and ripples. The sleek, high-tech design suggests advanced engineering and efficient operation

Briefing

The Yearn Finance legacy yETH stableswap pool suffered a critical logic exploit, resulting in a loss of approximately $9 million in underlying assets. This incident was triggered by an attacker exploiting a flaw in the pool’s custom minting function, which allowed the creation of a virtually unlimited supply of yETH tokens in a single transaction. The core consequence was the immediate destabilization of the pool’s token structure, enabling the attacker to drain real staked ETH assets across multiple integrated pools, with the total financial impact confirmed at over $9 million.

A futuristic metallic device, possibly a satellite or specialized node, is partially submerged in a calm body of water. From its lower section, a vigorous stream of bright blue liquid, intermingled with white foam, forcefully ejects, creating dynamic ripples and splashes on the water's surface

Context

Before this incident, the risk associated with legacy, unaudited, or custom-forked smart contract logic was a known systemic vulnerability within the DeFi ecosystem. The attack surface was defined by older pool designs that often relied on complex, non-standard arithmetic for share price calculation, a class of vulnerability frequently overlooked in post-migration security reviews. This pre-existing posture allowed a logic flaw to persist in the pool’s mint function, creating a high-leverage attack vector that bypassed standard security assumptions.

A central sphere comprises numerous translucent blue and dark blue cubic elements, interconnected with several matte white spheres of varying sizes via thin wires, all partially encircled by a large white ring. The background features a blurred dark blue with soft bokeh lights, creating an abstract, deep visual field

Analysis

The attack vector was a precision-based arithmetic flaw within the legacy yETH pool’s mint function, specifically how it calculated the share price upon deposit. The attacker executed a transaction that manipulated the pool’s internal accounting, enabling the minting of an excessive quantity of yETH tokens for a minimal deposit. By artificially inflating their yETH balance, the attacker then redeemed these tokens for a disproportionately large share of the pool’s underlying assets, effectively draining the staked ETH. This was a direct compromise of the smart contract’s core logic, not an external oracle or private key breach.

The image showcases a macro view of interconnected transparent blue channels filled with liquid, alongside a metallic, threaded cylindrical component. Several intricate silver, tree-like structures, some in sharp focus and others softly blurred, are integrated within this dynamic system

Parameters

Total Funds Drained → $9 Million (Total loss across the main yETH stableswap pool and the associated Curve pool).
Vulnerability Type → Infinite Token Minting Logic Flaw (Exploit of the custom share price calculation in the legacy contract).
Affected Asset Class → Liquid Staking Tokens (Underlying assets included wstETH, rETH, and cbETH).
Protocol Status → Router Paused, New Contract Deployed (Immediate mitigation steps taken by the core team).

A robust, metallic blue and silver apparatus is partially submerged in a field of fine, sparkling granular particles. A vibrant stream of blue, particle-laden fluid traverses a transparent central channel

Outlook

Immediate mitigation requires all protocols utilizing legacy or custom-forked stableswap logic to conduct an emergency review of their share price calculation and minting functions. The second-order effect is a renewed focus on “stale” contract risk, where older, less-used contracts become high-value targets after a protocol’s main focus shifts to newer versions. This incident establishes the need for continuous, automated monitoring of all deployed contracts, regardless of their current TVL, and mandates immediate compensation to maintain user trust.

A futuristic, segmented white sphere is partially submerged in dark, reflective water, with vibrant blue, crystalline formations emerging from its central opening. These icy structures spill into the water, forming a distinct mass on the surface

Verdict

The exploit confirms that logic flaws in legacy DeFi contracts remain a high-severity, high-impact threat, necessitating comprehensive sunsetting and formal verification of all retired codebases.

Token minting logic, Stableswap pool exploit, Infinite token issuance, Protocol insolvency risk, Legacy contract vulnerability, DeFi smart contract, Liquidity pool drain, Arithmetic logic flaw, Token share price, On-chain forensic analysis Signal Acquired from → tradingview.com