Security

Yearn Finance Legacy Contract Exploited by Infinite Token Minting Flaw

Unchecked arithmetic in a legacy yETH contract allowed an attacker to mint infinite tokens, creating a systemic risk for all dependent liquidity pools.
December 3, 20253 min

A gleaming silver digital asset token, embossed with a prominent geometric emblem, is securely positioned by a sophisticated metallic mechanism. This central element is enveloped by a dynamic array of deep blue, intertwined tubular structures, exhibiting varied textures from granular glitter to intricate water droplets
A close-up view reveals a dense arrangement of metallic components, dominated by vibrant blue conduits and gleaming silver machinery. These blue tubes, bound by metallic fasteners, snake through a core of interlocking gears and abstract metallic shapes, creating a sense of organized complexity

Briefing

The Yearn Finance protocol suffered a critical economic exploit targeting its legacy yETH stableswap pool via an arithmetic flaw in the token contract. This vulnerability allowed the threat actor to mint an effectively infinite supply of yETH, which was then used to drain real assets from associated Balancer liquidity pools. The total confirmed loss from this sophisticated, single-transaction attack is estimated at approximately $9 million.

An abstract, dark, multi-layered object with intricate, organic-like cutouts is depicted, covered and surrounded by a multitude of small, glowing blue and white particles. These particles appear to flow dynamically across its surface and through its internal structures, creating a sense of movement and digital interaction

Context

The prevailing risk in the DeFi ecosystem involves the maintenance of legacy smart contracts, which often lack the rigorous security standards of modern, audited versions. This specific attack surface was a known factor, as the affected yETH contract was an older implementation, separate from the protocol’s more secure V2 and V3 vaults. The complexity of inter-protocol dependencies also created contagion risk for external pools relying on the compromised token.

The visual depicts a stylized, metallic structure with intricate geometric patterns, resembling a sophisticated processing unit or network node. A dynamic stream of translucent blue liquid pours into its central aperture, representing the flow of digital assets or cryptocurrency

Analysis

The attacker leveraged an unchecked arithmetic flaw, specifically a missing division operation, within the legacy yETH token contract’s calculation logic. This logic error allowed the virtual balance product to inflate uncontrollably, enabling the minting of over 235 trillion yETH tokens in a single, atomic transaction. The newly minted, valueless tokens were immediately swapped for valuable assets, including ETH and liquid staking tokens, from the yETH-LST stableswap pools. The attacker subsequently laundered a portion of the stolen funds, approximately 1,000 ETH, via the Tornado Cash privacy mixer.

The image displays an abstract composition of smooth, curved surfaces, predominantly in shades of light gray and deep blue. Fine, luminous particles and scattered bubbles are visible across these surfaces, creating a textured, almost liquid appearance

Parameters

  • Total Funds Lost → $9 Million (The estimated total value of assets drained from the yETH stableswap and yETH-WETH pools).
  • Exploit VectorInfinite Token Minting (The core vulnerability allowing the creation of a virtually unlimited token supply).
  • Recovery Amount → $2.4 Million (The value of assets successfully recovered by the protocol through a coordinated effort).
  • Laundering Channel → Tornado Cash (The privacy mixer used to obfuscate the trail of approximately 1,000 ETH).

Two intricately designed metallic gears, featuring prominent splined teeth, are captured in a dynamic close-up. A luminous, translucent blue liquid actively flows around and through their engaging surfaces, creating a sense of constant motion and interaction, highlighting the precision of their connection

Outlook

Protocols must immediately prioritize the retirement or rigorous re-auditing of all legacy contracts, as they represent a disproportionate and systemic security risk. Users should verify that their staked assets are exclusively within V2 or V3 vaults, which remain secure, and be aware of potential contagion risk to other pools relying on the deprecated yETH token. This incident will likely drive new auditing standards focused on complex arithmetic and dependency management in stableswap pool implementations.

The image displays an intricate arrangement of abstract, flowing shapes, featuring both translucent, frosted white elements and opaque, deep blue forms, all set against a soft, light gray backdrop. These dynamic, interconnected structures create a sense of depth and fluid motion, with light interacting distinctly with the varying opacities

Verdict

This exploit confirms that legacy contract debt and unchecked arithmetic remain a critical, high-value vulnerability that can be leveraged for total pool drainage in a single, atomic transaction.

Arithmetic flaw, infinite mint exploit, legacy contract risk, token supply manipulation, stableswap pool drain, DeFi security breach, unchecked math logic, liquidity pool exploit, smart contract vulnerability, on-chain forensic analysis, asset recovery operation, decentralized finance threat, token contract design, external pool contagion, single transaction attack Signal Acquired from → coinlaw.io

Micro Crypto News Feeds

arithmetic flaw

Definition ∞ An arithmetic flaw is a computational error within a system.

contagion risk

Definition ∞ Contagion Risk describes the potential for financial distress at one entity or market segment to spread rapidly to others.

atomic transaction

Definition ∞ An atomic transaction is a sequence of operations that either completely finishes or completely fails, leaving no partial results.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

recovery

Definition ∞ Recovery, in a financial context, signifies the process by which an asset, market, or economy regains value after a period of decline.

privacy mixer

Definition ∞ A privacy mixer is a service designed to obscure the transaction history of cryptocurrencies.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

legacy contract

Definition ∞ A legacy contract in the digital asset space refers to an older smart contract or a version of a protocol that is no longer actively maintained, updated, or considered the primary operational version.

Tags:

Tags: