Security

Legacy Yearn Stableswap Pool Logic Flaw Enables Infinite Token Mint

A critical logic flaw in the legacy yETH stableswap pool allowed for arbitrary token minting, creating a $9 million systemic risk.
December 1, 20253 min

The image displays a detailed, macro view of an intricate structure formed by countless small, blue and metallic-silver components. These elements, reminiscent of circuit board parts or microchips, are densely packed and interconnected, creating a complex, textured surface with a central focal point
A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Briefing

The Yearn Finance legacy yETH product was compromised via an economic exploit that leveraged a logic flaw in its underlying stableswap pool contract. The primary consequence was the unauthorized minting of a near-infinite supply of yETH tokens, allowing the attacker to drain the pool of its underlying liquid staking assets. This incident, isolated to the older product, resulted in a total financial loss of approximately $9 million in various Ethereum-based tokens.

A luminous, multifaceted blue crystal structure, shaped like an 'X' or a cross, is depicted with polished metallic components at its intersections. The object appears to be a stylized control mechanism, possibly a valve, set against a blurred background of blues and greys, with frosty textures on the lower left

Context

This exploit highlights the persistent risk associated with maintaining legacy smart contracts, especially those integrated with complex, custom-built financial primitives like stableswap logic. The prevailing attack surface remains in bespoke contract code where subtle mathematical or rounding errors can be weaponized into full economic exploits. The incident was isolated to the yETH product, which had not been updated to the latest security standards of the V3 vaults.

A detailed close-up shows a complex, futuristic mechanism composed of shiny silver and translucent blue components. At its core, a cross-shaped structure made of light blue foamy material features a prominent metallic five-pointed star

Analysis

The attack vector exploited a flaw within the custom stable-swap pool’s internal calculation logic, specifically the function responsible for determining the value of yETH. The attacker first manipulated the pool’s state by exploiting this logic, enabling them to mint an arbitrarily large amount of yETH tokens in a single transaction. With this inflated balance, the attacker then withdrew a disproportionate amount of the pool’s real underlying assets, including wstETH and rETH, effectively draining the liquidity. The exploit was a targeted economic manipulation, not a simple private key compromise or administrative failure.

A striking abstract composition features clear and blue crystalline structures, white textured formations, and smooth white and silver spheres emerging from dark blue water under a clear sky. The elements are arranged centrally, creating a sense of balance and depth

Parameters

  • Total Funds Drained → $9 million → The total value of liquid staking tokens and ETH removed from the affected pools.
  • Vulnerability Type → Infinite Mint Logic Flaw → A bug in the stableswap contract allowed for arbitrary token creation.
  • Affected Product → Legacy yETH Stableswap Pool → The exploit was isolated to the older version of the product.
  • Mitigation Status → Router Paused, V1.1 Contract Deployed → The protocol immediately paused the affected router and deployed a patched contract.
  • Reimbursement PlanGovernance proposal passed to reimburse $3.2M from treasury → A commitment to cover user losses from corporate reserves.

A metallic, cylindrical mechanism forms the central element, partially submerged and intertwined with a viscous, translucent blue fluid. This fluid is densely covered by a frothy, lighter blue foam, suggesting a dynamic process

Outlook

Protocols must immediately establish and enforce clear deprecation policies for all legacy contracts to minimize the long-tail risk of unaudited or outdated code. For users, the immediate mitigation is to withdraw all assets from any V1 or legacy pools that are not explicitly marked as secure and migrated to V3 architecture. This event will likely set a new precedent for auditing standards, requiring dedicated scrutiny on custom mathematical functions within stableswap and other automated market maker contracts to prevent similar precision-based economic exploits.

A polished, multi-layered metallic mechanism descends into a vibrant, translucent blue liquid, with blue rod-like structures extending from it. White foam actively bubbles at the liquid's surface around the metallic component, set against a soft, light gray background

Verdict

This $9 million exploit serves as a definitive operational mandate that the greatest systemic risk in DeFi is the persistent, unmitigated threat posed by legacy smart contract infrastructure.

Smart contract exploit, infinite mint vulnerability, stableswap pool attack, DeFi logic flaw, token inflation attack, liquidity pool drain, asset manipulation, legacy contract risk, economic exploit, code vulnerability, reentrancy variant, flash loan preparation, asset withdrawal, on-chain forensics, protocol security, risk mitigation, governance vote, treasury reimbursement, multi-asset pool, tokenized assets, yield aggregator, smart contract risk, pool liquidity, decentralized finance Signal Acquired from → tradingview.com

Micro Crypto News Feeds

economic exploit

Definition ∞ An economic exploit is a manipulation of a system's design or incentives to gain an unfair financial advantage.

economic exploits

Definition ∞ Economic exploits are malicious actions or strategies that manipulate the design or incentives of a decentralized system to extract value unfairly.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

mitigation

Definition ∞ Mitigation refers to actions taken to reduce the severity, seriousness, or harmfulness of something.

governance

Definition ∞ Governance refers to the systems, processes, and rules by which an entity or system is directed and controlled.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: