Security

Yearn Finance Legacy Contract Exploited by Infinite Token Minting Flaw

Unchecked arithmetic in a legacy yETH contract allowed an attacker to mint infinite tokens, creating a systemic risk for all dependent liquidity pools.
December 3, 20253 min

The image displays an abstract composition of smooth, curved surfaces, predominantly in shades of light gray and deep blue. Fine, luminous particles and scattered bubbles are visible across these surfaces, creating a textured, almost liquid appearance
A futuristic metallic device, possibly a satellite or specialized node, is partially submerged in a calm body of water. From its lower section, a vigorous stream of bright blue liquid, intermingled with white foam, forcefully ejects, creating dynamic ripples and splashes on the water's surface

Briefing

The Yearn Finance protocol suffered a critical economic exploit targeting its legacy yETH stableswap pool via an arithmetic flaw in the token contract. This vulnerability allowed the threat actor to mint an effectively infinite supply of yETH, which was then used to drain real assets from associated Balancer liquidity pools. The total confirmed loss from this sophisticated, single-transaction attack is estimated at approximately $9 million.

Three textured, translucent blocks, varying in height and displaying a blue gradient, stand in rippled water under a full moon. The blocks transition from clear at the top to deep blue at their base, reflecting in the surrounding liquid

Context

The prevailing risk in the DeFi ecosystem involves the maintenance of legacy smart contracts, which often lack the rigorous security standards of modern, audited versions. This specific attack surface was a known factor, as the affected yETH contract was an older implementation, separate from the protocol’s more secure V2 and V3 vaults. The complexity of inter-protocol dependencies also created contagion risk for external pools relying on the compromised token.

A large, irregularly shaped celestial body, half vibrant blue and half textured grey, is prominently featured, encircled by multiple translucent blue rings. Smaller, similar asteroid-like spheres, some partially blue, are scattered around, with one enclosed within a clear circular boundary, all against a gradient background transitioning from light to dark grey

Analysis

The attacker leveraged an unchecked arithmetic flaw, specifically a missing division operation, within the legacy yETH token contract’s calculation logic. This logic error allowed the virtual balance product to inflate uncontrollably, enabling the minting of over 235 trillion yETH tokens in a single, atomic transaction. The newly minted, valueless tokens were immediately swapped for valuable assets, including ETH and liquid staking tokens, from the yETH-LST stableswap pools. The attacker subsequently laundered a portion of the stolen funds, approximately 1,000 ETH, via the Tornado Cash privacy mixer.

A futuristic, segmented white sphere is partially submerged in dark, reflective water, with vibrant blue, crystalline formations emerging from its central opening. These icy structures spill into the water, forming a distinct mass on the surface

Parameters

  • Total Funds Lost → $9 Million (The estimated total value of assets drained from the yETH stableswap and yETH-WETH pools).
  • Exploit VectorInfinite Token Minting (The core vulnerability allowing the creation of a virtually unlimited token supply).
  • Recovery Amount → $2.4 Million (The value of assets successfully recovered by the protocol through a coordinated effort).
  • Laundering Channel → Tornado Cash (The privacy mixer used to obfuscate the trail of approximately 1,000 ETH).

A luminous blue core radiates within a translucent, interconnected molecular structure against a dark grey background, with multiple spherical nodes linked by flowing, glass-like conduits. The composition visually represents a complex, abstract network, with light emanating from central and peripheral elements

Outlook

Protocols must immediately prioritize the retirement or rigorous re-auditing of all legacy contracts, as they represent a disproportionate and systemic security risk. Users should verify that their staked assets are exclusively within V2 or V3 vaults, which remain secure, and be aware of potential contagion risk to other pools relying on the deprecated yETH token. This incident will likely drive new auditing standards focused on complex arithmetic and dependency management in stableswap pool implementations.

The image presents an abstract composition dominated by transparent, elongated structures that appear to stretch and flow, creating a sense of dynamic movement. These glass-like forms reflect ambient light, highlighting their smooth, interconnected surfaces

Verdict

This exploit confirms that legacy contract debt and unchecked arithmetic remain a critical, high-value vulnerability that can be leveraged for total pool drainage in a single, atomic transaction.

Arithmetic flaw, infinite mint exploit, legacy contract risk, token supply manipulation, stableswap pool drain, DeFi security breach, unchecked math logic, liquidity pool exploit, smart contract vulnerability, on-chain forensic analysis, asset recovery operation, decentralized finance threat, token contract design, external pool contagion, single transaction attack Signal Acquired from → coinlaw.io

Micro Crypto News Feeds

arithmetic flaw

Definition ∞ An arithmetic flaw is a computational error within a system.

contagion risk

Definition ∞ Contagion Risk describes the potential for financial distress at one entity or market segment to spread rapidly to others.

atomic transaction

Definition ∞ An atomic transaction is a sequence of operations that either completely finishes or completely fails, leaving no partial results.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

recovery

Definition ∞ Recovery, in a financial context, signifies the process by which an asset, market, or economy regains value after a period of decline.

privacy mixer

Definition ∞ A privacy mixer is a service designed to obscure the transaction history of cryptocurrencies.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

legacy contract

Definition ∞ A legacy contract in the digital asset space refers to an older smart contract or a version of a protocol that is no longer actively maintained, updated, or considered the primary operational version.

Tags:

Tags: