Security

Yearn Finance Legacy Contract Exploited by Infinite Token Minting Flaw

Unchecked arithmetic in a legacy yETH contract allowed an attacker to mint infinite tokens, creating a systemic risk for all dependent liquidity pools.
December 3, 20253 min

The image features an abstract, high-tech scene dominated by transparent, angular channels filled with a vibrant blue, textured material and scattered white particles. Several smooth white spheres are visible, some embedded within the blue substance, others resting on or floating near the clear structures, all set against a soft, light background
Two intricately designed metallic gears, featuring prominent splined teeth, are captured in a dynamic close-up. A luminous, translucent blue liquid actively flows around and through their engaging surfaces, creating a sense of constant motion and interaction, highlighting the precision of their connection

Briefing

The Yearn Finance protocol suffered a critical economic exploit targeting its legacy yETH stableswap pool via an arithmetic flaw in the token contract. This vulnerability allowed the threat actor to mint an effectively infinite supply of yETH, which was then used to drain real assets from associated Balancer liquidity pools. The total confirmed loss from this sophisticated, single-transaction attack is estimated at approximately $9 million.

A sophisticated silver and black metallic component, featuring sharp angles and reflective surfaces, is encased within a dynamic torrent of translucent blue liquid. The fluid exhibits vigorous motion, creating splashes and intricate light refractions around the immersed structure, set against a soft gray background

Context

The prevailing risk in the DeFi ecosystem involves the maintenance of legacy smart contracts, which often lack the rigorous security standards of modern, audited versions. This specific attack surface was a known factor, as the affected yETH contract was an older implementation, separate from the protocol’s more secure V2 and V3 vaults. The complexity of inter-protocol dependencies also created contagion risk for external pools relying on the compromised token.

The visual depicts a stylized, metallic structure with intricate geometric patterns, resembling a sophisticated processing unit or network node. A dynamic stream of translucent blue liquid pours into its central aperture, representing the flow of digital assets or cryptocurrency

Analysis

The attacker leveraged an unchecked arithmetic flaw, specifically a missing division operation, within the legacy yETH token contract’s calculation logic. This logic error allowed the virtual balance product to inflate uncontrollably, enabling the minting of over 235 trillion yETH tokens in a single, atomic transaction. The newly minted, valueless tokens were immediately swapped for valuable assets, including ETH and liquid staking tokens, from the yETH-LST stableswap pools. The attacker subsequently laundered a portion of the stolen funds, approximately 1,000 ETH, via the Tornado Cash privacy mixer.

The image displays an abstract composition featuring textured blue and white cloud-like forms, transparent geometric objects, and a detailed moon-like sphere. These elements float within a digital-looking environment, creating a sense of depth and complexity

Parameters

  • Total Funds Lost → $9 Million (The estimated total value of assets drained from the yETH stableswap and yETH-WETH pools).
  • Exploit VectorInfinite Token Minting (The core vulnerability allowing the creation of a virtually unlimited token supply).
  • Recovery Amount → $2.4 Million (The value of assets successfully recovered by the protocol through a coordinated effort).
  • Laundering Channel → Tornado Cash (The privacy mixer used to obfuscate the trail of approximately 1,000 ETH).

A high-resolution image captures a complex metallic mechanism featuring a glowing blue spherical core, partially submerged in a field of transparent bubbles. The intricate silver-toned components are illuminated by the internal blue light, creating a futuristic and dynamic scene

Outlook

Protocols must immediately prioritize the retirement or rigorous re-auditing of all legacy contracts, as they represent a disproportionate and systemic security risk. Users should verify that their staked assets are exclusively within V2 or V3 vaults, which remain secure, and be aware of potential contagion risk to other pools relying on the deprecated yETH token. This incident will likely drive new auditing standards focused on complex arithmetic and dependency management in stableswap pool implementations.

A textured white sphere, resembling a frosted orb, is centrally positioned, surrounded by vibrant blue and white cloud-like formations. Clear, angular, crystalline structures are embedded within and around these formations, all set against a soft, cloudy grey sky

Verdict

This exploit confirms that legacy contract debt and unchecked arithmetic remain a critical, high-value vulnerability that can be leveraged for total pool drainage in a single, atomic transaction.

Arithmetic flaw, infinite mint exploit, legacy contract risk, token supply manipulation, stableswap pool drain, DeFi security breach, unchecked math logic, liquidity pool exploit, smart contract vulnerability, on-chain forensic analysis, asset recovery operation, decentralized finance threat, token contract design, external pool contagion, single transaction attack Signal Acquired from → coinlaw.io

Micro Crypto News Feeds

arithmetic flaw

Definition ∞ An arithmetic flaw is a computational error within a system.

contagion risk

Definition ∞ Contagion Risk describes the potential for financial distress at one entity or market segment to spread rapidly to others.

atomic transaction

Definition ∞ An atomic transaction is a sequence of operations that either completely finishes or completely fails, leaving no partial results.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

recovery

Definition ∞ Recovery, in a financial context, signifies the process by which an asset, market, or economy regains value after a period of decline.

privacy mixer

Definition ∞ A privacy mixer is a service designed to obscure the transaction history of cryptocurrencies.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

legacy contract

Definition ∞ A legacy contract in the digital asset space refers to an older smart contract or a version of a protocol that is no longer actively maintained, updated, or considered the primary operational version.

Tags:

Tags: