Security

Legacy Yearn Stableswap Pool Logic Flaw Enables Infinite Token Mint

A critical logic flaw in the legacy yETH stableswap pool allowed for arbitrary token minting, creating a $9 million systemic risk.
December 1, 20253 min

The image displays intricate blue structures densely covered in sharp white crystalline formations, with a transparent cylindrical element partially visible. The blue forms, resembling a spiraled or layered texture, are encrusted with countless individual white crystals, creating a frosty appearance
A luminous, translucent blue-grey amorphous structure elegantly envelops a vibrant, solid blue sphere, set against a subtle gradient background. The flowing, organic forms create a sense of depth and protection around the central element

Briefing

The Yearn Finance legacy yETH product was compromised via an economic exploit that leveraged a logic flaw in its underlying stableswap pool contract. The primary consequence was the unauthorized minting of a near-infinite supply of yETH tokens, allowing the attacker to drain the pool of its underlying liquid staking assets. This incident, isolated to the older product, resulted in a total financial loss of approximately $9 million in various Ethereum-based tokens.

The image presents an abstract composition dominated by transparent, elongated structures that appear to stretch and flow, creating a sense of dynamic movement. These glass-like forms reflect ambient light, highlighting their smooth, interconnected surfaces

Context

This exploit highlights the persistent risk associated with maintaining legacy smart contracts, especially those integrated with complex, custom-built financial primitives like stableswap logic. The prevailing attack surface remains in bespoke contract code where subtle mathematical or rounding errors can be weaponized into full economic exploits. The incident was isolated to the yETH product, which had not been updated to the latest security standards of the V3 vaults.

A brilliant, multi-faceted diamond, exhibiting prismatic light refractions, is held within a minimalist, white, circular apparatus with metallic joint accents. Behind this central element, a complex, crystalline formation displays intense shades of blue and indigo, suggesting a network or a foundational structure

Analysis

The attack vector exploited a flaw within the custom stable-swap pool’s internal calculation logic, specifically the function responsible for determining the value of yETH. The attacker first manipulated the pool’s state by exploiting this logic, enabling them to mint an arbitrarily large amount of yETH tokens in a single transaction. With this inflated balance, the attacker then withdrew a disproportionate amount of the pool’s real underlying assets, including wstETH and rETH, effectively draining the liquidity. The exploit was a targeted economic manipulation, not a simple private key compromise or administrative failure.

A vibrant, multifaceted blue digital asset, reminiscent of a high-value token or a core cryptographic primitive, is seen partially immersed in a bed of white, effervescent foam. Adjacent to it, a sleek metallic device, potentially a hardware wallet or a component of a node, is also touched by the foam

Parameters

  • Total Funds Drained → $9 million → The total value of liquid staking tokens and ETH removed from the affected pools.
  • Vulnerability Type → Infinite Mint Logic Flaw → A bug in the stableswap contract allowed for arbitrary token creation.
  • Affected Product → Legacy yETH Stableswap Pool → The exploit was isolated to the older version of the product.
  • Mitigation Status → Router Paused, V1.1 Contract Deployed → The protocol immediately paused the affected router and deployed a patched contract.
  • Reimbursement PlanGovernance proposal passed to reimburse $3.2M from treasury → A commitment to cover user losses from corporate reserves.

A sophisticated metallic assembly, comprising interconnected silver and black geometric elements and visible bearings, is depicted partially submerged within a pale blue, granular substance. Beneath this textured surface, an intensely luminous electric blue network, characterized by intricate, flowing patterns, suggests a foundational digital architecture

Outlook

Protocols must immediately establish and enforce clear deprecation policies for all legacy contracts to minimize the long-tail risk of unaudited or outdated code. For users, the immediate mitigation is to withdraw all assets from any V1 or legacy pools that are not explicitly marked as secure and migrated to V3 architecture. This event will likely set a new precedent for auditing standards, requiring dedicated scrutiny on custom mathematical functions within stableswap and other automated market maker contracts to prevent similar precision-based economic exploits.

A pristine white sphere, resembling a valuable digital asset, is suspended within a vibrant, translucent blue structure. This structure, reminiscent of frozen liquid or crystalline data, is partially adorned with white, textured frost along its edges, creating a sense of depth and complexity

Verdict

This $9 million exploit serves as a definitive operational mandate that the greatest systemic risk in DeFi is the persistent, unmitigated threat posed by legacy smart contract infrastructure.

Smart contract exploit, infinite mint vulnerability, stableswap pool attack, DeFi logic flaw, token inflation attack, liquidity pool drain, asset manipulation, legacy contract risk, economic exploit, code vulnerability, reentrancy variant, flash loan preparation, asset withdrawal, on-chain forensics, protocol security, risk mitigation, governance vote, treasury reimbursement, multi-asset pool, tokenized assets, yield aggregator, smart contract risk, pool liquidity, decentralized finance Signal Acquired from → tradingview.com

Micro Crypto News Feeds

economic exploit

Definition ∞ An economic exploit is a manipulation of a system's design or incentives to gain an unfair financial advantage.

economic exploits

Definition ∞ Economic exploits are malicious actions or strategies that manipulate the design or incentives of a decentralized system to extract value unfairly.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

mitigation

Definition ∞ Mitigation refers to actions taken to reduce the severity, seriousness, or harmfulness of something.

governance

Definition ∞ Governance refers to the systems, processes, and rules by which an entity or system is directed and controlled.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: