Security

Legacy Yearn Vault Drained Exploiting Infinite Token Minting Logic Flaw

A logic flaw in a legacy stable-swap pool enabled the minting of near-infinite tokens, leading to an immediate, systemic drain of underlying liquid staking assets.
December 1, 20253 min

A central mass of deep blue, textured material is partially covered and intermingled with a lighter, almost white, powdery substance. This formation is cradled within a polished, metallic structure composed of parallel bars and supports
A central white, futuristic hub connects to multiple radiating metallic conduits, partially submerged in a vivid blue, agitated liquid. White, foamy substances emanate from the connection points where the conduits meet the central structure, implying active processes

Briefing

The Yearn Finance ecosystem experienced a critical security incident involving a legacy stable-swap pool, resulting in the unauthorized draining of underlying liquid staking assets. The primary consequence is a total capital loss for users of the affected yETH vault, necessitating an immediate governance proposal for victim reimbursement from the treasury. Forensic analysis confirms the total financial impact of the exploit is approximately $9 million, leveraged through a single-transaction infinite token minting vulnerability.

A striking abstract composition features clear and blue crystalline structures, white textured formations, and smooth white and silver spheres emerging from dark blue water under a clear sky. The elements are arranged centrally, creating a sense of balance and depth

Context

This incident underscores the persistent risk associated with maintaining legacy smart contracts that operate outside the current, hardened security architecture of a main protocol. The prevailing attack surface for older DeFi implementations often involves non-standard token logic or custom pool designs that lack the rigorous, multi-layered auditing applied to modern, standardized vault systems. This vulnerability was an inherent design flaw in the token’s minting function, which was not adequately protected by standard access controls or invariant checks.

A detailed close-up showcases a textured, deep blue cylindrical component, featuring a prominent metallic, threaded terminal. A transparent, tube-like structure extends from its upper surface, appearing to transport a clear, fluid substance

Analysis

The attack vector exploited a specific logic flaw within the custom stable-swap pool contract used for the legacy yETH token. The attacker leveraged this flaw to execute a single, complex transaction that manipulated the contract’s internal state, allowing the minting of a near-infinite supply of the yETH token. With this artificially inflated balance of yETH , the threat actor was able to withdraw a disproportionate amount of the pool’s real, underlying assets, including wstETH and rETH, effectively draining the pool’s liquidity before the protocol’s monitoring systems could react. The root cause was a failure in the minting function’s internal accounting and validation checks.

A close-up reveals a futuristic apparatus composed of translucent blue chambers filled with bubbling liquid, integrated with polished silver-grey mechanical structures. Hexagonal internal frameworks are visible within the clear liquid, creating a dynamic and complex visual representation of advanced engineering

Parameters

  • Total Funds Drained → $9 Million (The combined loss from the primary stable-swap pool and the associated Curve pool ).
  • Vulnerability ClassInfinite Minting Flaw (A critical logic error in the token’s supply mechanism ).
  • Affected Asset TypeLiquid Staking Tokens (The underlying assets stolen were wrapped/staked ETH variants ).
  • Attacker Action → Single Transaction Exploit (The entire drain was executed in one atomic on-chain operation ).

A snow-covered mass, resembling an iceberg, floats in serene blue water, hosting a textured white sphere and interacting with a metallic, faceted object. From this interaction, a vivid blue liquid cascades into the water, creating white splashes

Outlook

Protocols must immediately conduct comprehensive audits on all legacy and custom-logic contracts, prioritizing sunsetting or migrating funds from systems that do not meet current security standards. The immediate mitigation for users is to withdraw assets from any similarly structured, older pools across the DeFi landscape to prevent contagion risk from shared code bases. This event will likely establish a new best practice standard for immutable contract logic, mandating formal verification for all custom token minting and burning mechanisms.

A central, transparent sphere, containing numerous angular, sapphire-hued crystalline fragments, is encased in a clear, multi-tubed structure. This assembly is positioned against a backdrop of larger, fragmented, dark blue crystalline forms and a pale, speckled surface

Verdict

This $9 million loss is a definitive warning that legacy contract exposure represents an unacceptable systemic risk to the digital asset ecosystem, irrespective of a protocol’s current security posture.

smart contract exploit, infinite minting vulnerability, token logic flaw, liquid staking tokens, DeFi pool drain, stable-swap mechanism, on-chain forensics, economic attack vector, protocol risk, legacy contract, critical bug, chain analysis, asset recovery, fund laundering, treasury reimbursement, governance proposal, vulnerability disclosure, single transaction exploit, access control failure, immutable contract risk Signal Acquired from → tradingview.com

Micro Crypto News Feeds

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

token minting

Definition ∞ Token minting is the process by which new digital tokens are created and introduced into circulation on a blockchain.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

Tags:

Tags: