Briefing

The Yearn Finance legacy yETH stableswap pool suffered a critical logic exploit, resulting in a loss of approximately $9 million in underlying assets. This incident was triggered by an attacker exploiting a flaw in the pool’s custom minting function, which allowed the creation of a virtually unlimited supply of yETH tokens in a single transaction. The core consequence was the immediate destabilization of the pool’s token structure, enabling the attacker to drain real staked ETH assets across multiple integrated pools, with the total financial impact confirmed at over $9 million.

A close-up view reveals a transparent, futuristic apparatus containing a vibrant blue liquid filled with a dense array of uniform bubbles. Internal illuminated blue lines suggest intricate circuitry or data pathways within the fluid, set against a blurred light gray background

Context

Before this incident, the risk associated with legacy, unaudited, or custom-forked smart contract logic was a known systemic vulnerability within the DeFi ecosystem. The attack surface was defined by older pool designs that often relied on complex, non-standard arithmetic for share price calculation, a class of vulnerability frequently overlooked in post-migration security reviews. This pre-existing posture allowed a logic flaw to persist in the pool’s mint function, creating a high-leverage attack vector that bypassed standard security assumptions.

A highly detailed close-up reveals a sleek, metallic blue and silver mechanical device, featuring a prominent lens-like component and intricate internal structures. White, frothy foam actively surrounds and interacts with the central mechanism, suggesting a dynamic operational process within the unit

Analysis

The attack vector was a precision-based arithmetic flaw within the legacy yETH pool’s mint function, specifically how it calculated the share price upon deposit. The attacker executed a transaction that manipulated the pool’s internal accounting, enabling the minting of an excessive quantity of yETH tokens for a minimal deposit. By artificially inflating their yETH balance, the attacker then redeemed these tokens for a disproportionately large share of the pool’s underlying assets, effectively draining the staked ETH. This was a direct compromise of the smart contract’s core logic, not an external oracle or private key breach.

A close-up view reveals a highly detailed, metallic mechanical component, featuring various shafts and finely machined surfaces, partially submerged within a vibrant, translucent blue material that exhibits a textured, fluid-like appearance with subtle bubbles. The background offers a soft, out-of-focus gradient of blues and grays, emphasizing the intricate foreground subject, suggesting a high-tech operational environment

Parameters

  • Total Funds Drained → $9 Million (Total loss across the main yETH stableswap pool and the associated Curve pool).
  • Vulnerability TypeInfinite Token Minting Logic Flaw (Exploit of the custom share price calculation in the legacy contract).
  • Affected Asset Class → Liquid Staking Tokens (Underlying assets included wstETH, rETH, and cbETH).
  • Protocol Status → Router Paused, New Contract Deployed (Immediate mitigation steps taken by the core team).

A white, textured sphere rests within a dynamic, translucent blue, fluid-like structure, set against a light grey background. The blue form exhibits complex ripples and varying opacities, appearing to cradle the sphere

Outlook

Immediate mitigation requires all protocols utilizing legacy or custom-forked stableswap logic to conduct an emergency review of their share price calculation and minting functions. The second-order effect is a renewed focus on “stale” contract risk, where older, less-used contracts become high-value targets after a protocol’s main focus shifts to newer versions. This incident establishes the need for continuous, automated monitoring of all deployed contracts, regardless of their current TVL, and mandates immediate compensation to maintain user trust.

A blue, patterned, tubular structure, detailed with numerous small, light-colored indentations, forms a large semi-circular shape against a dark background. Black, robust cylindrical components are integrated into the blue structure, with clear, thin tubes traversing the scene, suggesting data flow

Verdict

The exploit confirms that logic flaws in legacy DeFi contracts remain a high-severity, high-impact threat, necessitating comprehensive sunsetting and formal verification of all retired codebases.

Token minting logic, Stableswap pool exploit, Infinite token issuance, Protocol insolvency risk, Legacy contract vulnerability, DeFi smart contract, Liquidity pool drain, Arithmetic logic flaw, Token share price, On-chain forensic analysis Signal Acquired from → tradingview.com

Micro Crypto News Feeds