Security

Legacy Yearn Stableswap Pool Logic Flaw Enables Infinite Token Mint

A critical logic flaw in the legacy yETH stableswap pool allowed for arbitrary token minting, creating a $9 million systemic risk.
December 1, 20253 min

A sophisticated metallic assembly, comprising interconnected silver and black geometric elements and visible bearings, is depicted partially submerged within a pale blue, granular substance. Beneath this textured surface, an intensely luminous electric blue network, characterized by intricate, flowing patterns, suggests a foundational digital architecture
A close-up shot presents an abstract, high-tech structure featuring smooth, light-colored skeletal forms interwoven with dark, reflective blue internal components. Several dark cables run through openings in the lighter framework, creating a sense of interconnectedness and engineered precision

Briefing

The Yearn Finance legacy yETH product was compromised via an economic exploit that leveraged a logic flaw in its underlying stableswap pool contract. The primary consequence was the unauthorized minting of a near-infinite supply of yETH tokens, allowing the attacker to drain the pool of its underlying liquid staking assets. This incident, isolated to the older product, resulted in a total financial loss of approximately $9 million in various Ethereum-based tokens.

A distinctive white and polished silver segmented mechanism is partially submerged in a vibrant blue liquid, creating numerous transparent bubbles and dynamic surface agitation. The structured form appears to be integrating with the fluid environment, symbolizing the deployment and interaction of complex systems

Context

This exploit highlights the persistent risk associated with maintaining legacy smart contracts, especially those integrated with complex, custom-built financial primitives like stableswap logic. The prevailing attack surface remains in bespoke contract code where subtle mathematical or rounding errors can be weaponized into full economic exploits. The incident was isolated to the yETH product, which had not been updated to the latest security standards of the V3 vaults.

The image showcases a detailed view of a sophisticated blue metallic structure, where a transparent, bubbly fluid moves through its internal components. This intricate design features reflective surfaces and precise engineering, creating a sense of advanced technological processing

Analysis

The attack vector exploited a flaw within the custom stable-swap pool’s internal calculation logic, specifically the function responsible for determining the value of yETH. The attacker first manipulated the pool’s state by exploiting this logic, enabling them to mint an arbitrarily large amount of yETH tokens in a single transaction. With this inflated balance, the attacker then withdrew a disproportionate amount of the pool’s real underlying assets, including wstETH and rETH, effectively draining the liquidity. The exploit was a targeted economic manipulation, not a simple private key compromise or administrative failure.

The image displays a detailed, abstract composition centered on a symmetrical, metallic blue and white 'X' shaped structure. This central element is surrounded and partially integrated into a textured, white, bubbly matrix, creating a sense of depth and complex interweaving

Parameters

  • Total Funds Drained → $9 million → The total value of liquid staking tokens and ETH removed from the affected pools.
  • Vulnerability Type → Infinite Mint Logic Flaw → A bug in the stableswap contract allowed for arbitrary token creation.
  • Affected Product → Legacy yETH Stableswap Pool → The exploit was isolated to the older version of the product.
  • Mitigation Status → Router Paused, V1.1 Contract Deployed → The protocol immediately paused the affected router and deployed a patched contract.
  • Reimbursement PlanGovernance proposal passed to reimburse $3.2M from treasury → A commitment to cover user losses from corporate reserves.

A sleek, modular white structure, resembling a sophisticated decentralized protocol, rests partially submerged in luminous blue water. A powerful stream of water, indicative of digital assets, actively gushes from its core conduit, creating dynamic splashes and ripples

Outlook

Protocols must immediately establish and enforce clear deprecation policies for all legacy contracts to minimize the long-tail risk of unaudited or outdated code. For users, the immediate mitigation is to withdraw all assets from any V1 or legacy pools that are not explicitly marked as secure and migrated to V3 architecture. This event will likely set a new precedent for auditing standards, requiring dedicated scrutiny on custom mathematical functions within stableswap and other automated market maker contracts to prevent similar precision-based economic exploits.

The image presents a macro perspective of a textured blue granular mass interacting with metallic, modular structures. These components are embedded within and around the substance, showcasing a complex interplay of forms and textures

Verdict

This $9 million exploit serves as a definitive operational mandate that the greatest systemic risk in DeFi is the persistent, unmitigated threat posed by legacy smart contract infrastructure.

Smart contract exploit, infinite mint vulnerability, stableswap pool attack, DeFi logic flaw, token inflation attack, liquidity pool drain, asset manipulation, legacy contract risk, economic exploit, code vulnerability, reentrancy variant, flash loan preparation, asset withdrawal, on-chain forensics, protocol security, risk mitigation, governance vote, treasury reimbursement, multi-asset pool, tokenized assets, yield aggregator, smart contract risk, pool liquidity, decentralized finance Signal Acquired from → tradingview.com

Micro Crypto News Feeds

economic exploit

Definition ∞ An economic exploit is a manipulation of a system's design or incentives to gain an unfair financial advantage.

economic exploits

Definition ∞ Economic exploits are malicious actions or strategies that manipulate the design or incentives of a decentralized system to extract value unfairly.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

mitigation

Definition ∞ Mitigation refers to actions taken to reduce the severity, seriousness, or harmfulness of something.

governance

Definition ∞ Governance refers to the systems, processes, and rules by which an entity or system is directed and controlled.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: