Security

Legacy Yearn Stableswap Pool Logic Flaw Enables Infinite Token Mint

A critical logic flaw in the legacy yETH stableswap pool allowed for arbitrary token minting, creating a $9 million systemic risk.
December 1, 20253 min

A luminous, multifaceted blue crystal structure, shaped like an 'X' or a cross, is depicted with polished metallic components at its intersections. The object appears to be a stylized control mechanism, possibly a valve, set against a blurred background of blues and greys, with frosty textures on the lower left
The image displays a detailed, macro view of an intricate structure formed by countless small, blue and metallic-silver components. These elements, reminiscent of circuit board parts or microchips, are densely packed and interconnected, creating a complex, textured surface with a central focal point

Briefing

The Yearn Finance legacy yETH product was compromised via an economic exploit that leveraged a logic flaw in its underlying stableswap pool contract. The primary consequence was the unauthorized minting of a near-infinite supply of yETH tokens, allowing the attacker to drain the pool of its underlying liquid staking assets. This incident, isolated to the older product, resulted in a total financial loss of approximately $9 million in various Ethereum-based tokens.

A close-up shot reveals an elaborate mechanical assembly composed of vibrant blue and contrasting silver-grey components. Central cylindrical structures are intricately connected to numerous smaller, detailed modules, creating a complex, interconnected system

Context

This exploit highlights the persistent risk associated with maintaining legacy smart contracts, especially those integrated with complex, custom-built financial primitives like stableswap logic. The prevailing attack surface remains in bespoke contract code where subtle mathematical or rounding errors can be weaponized into full economic exploits. The incident was isolated to the yETH product, which had not been updated to the latest security standards of the V3 vaults.

A polished metallic cylindrical component, featuring a dark nozzle and a delicate golden wire, precisely interacts with a vibrant blue, translucent fluid. The fluid appears to be actively channeled and shaped by the mechanism, creating a dynamic visual of flow and processing

Analysis

The attack vector exploited a flaw within the custom stable-swap pool’s internal calculation logic, specifically the function responsible for determining the value of yETH. The attacker first manipulated the pool’s state by exploiting this logic, enabling them to mint an arbitrarily large amount of yETH tokens in a single transaction. With this inflated balance, the attacker then withdrew a disproportionate amount of the pool’s real underlying assets, including wstETH and rETH, effectively draining the liquidity. The exploit was a targeted economic manipulation, not a simple private key compromise or administrative failure.

A sleek, white, modular device emits a brilliant blue, energetic stream into a textured, luminous blue substance, creating frothy white patterns. The central apparatus, a sophisticated piece of blockchain infrastructure, appears to be actively engaging in a high-intensity digital asset processing operation

Parameters

  • Total Funds Drained → $9 million → The total value of liquid staking tokens and ETH removed from the affected pools.
  • Vulnerability Type → Infinite Mint Logic Flaw → A bug in the stableswap contract allowed for arbitrary token creation.
  • Affected Product → Legacy yETH Stableswap Pool → The exploit was isolated to the older version of the product.
  • Mitigation Status → Router Paused, V1.1 Contract Deployed → The protocol immediately paused the affected router and deployed a patched contract.
  • Reimbursement PlanGovernance proposal passed to reimburse $3.2M from treasury → A commitment to cover user losses from corporate reserves.

An abstract, dark, multi-layered object with intricate, organic-like cutouts is depicted, covered and surrounded by a multitude of small, glowing blue and white particles. These particles appear to flow dynamically across its surface and through its internal structures, creating a sense of movement and digital interaction

Outlook

Protocols must immediately establish and enforce clear deprecation policies for all legacy contracts to minimize the long-tail risk of unaudited or outdated code. For users, the immediate mitigation is to withdraw all assets from any V1 or legacy pools that are not explicitly marked as secure and migrated to V3 architecture. This event will likely set a new precedent for auditing standards, requiring dedicated scrutiny on custom mathematical functions within stableswap and other automated market maker contracts to prevent similar precision-based economic exploits.

A glowing, translucent white sphere is centrally positioned within a rugged, dark blue, textured formation. The blue structure features lighter, granular blue accents, creating a complex, organic appearance against a blurred grey background

Verdict

This $9 million exploit serves as a definitive operational mandate that the greatest systemic risk in DeFi is the persistent, unmitigated threat posed by legacy smart contract infrastructure.

Smart contract exploit, infinite mint vulnerability, stableswap pool attack, DeFi logic flaw, token inflation attack, liquidity pool drain, asset manipulation, legacy contract risk, economic exploit, code vulnerability, reentrancy variant, flash loan preparation, asset withdrawal, on-chain forensics, protocol security, risk mitigation, governance vote, treasury reimbursement, multi-asset pool, tokenized assets, yield aggregator, smart contract risk, pool liquidity, decentralized finance Signal Acquired from → tradingview.com

Micro Crypto News Feeds

economic exploit

Definition ∞ An economic exploit is a manipulation of a system's design or incentives to gain an unfair financial advantage.

economic exploits

Definition ∞ Economic exploits are malicious actions or strategies that manipulate the design or incentives of a decentralized system to extract value unfairly.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

mitigation

Definition ∞ Mitigation refers to actions taken to reduce the severity, seriousness, or harmfulness of something.

governance

Definition ∞ Governance refers to the systems, processes, and rules by which an entity or system is directed and controlled.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: