Security

Yearn Finance Legacy Contract Exploited by Infinite Token Minting Flaw

Unchecked arithmetic in a legacy yETH contract allowed an attacker to mint infinite tokens, creating a systemic risk for all dependent liquidity pools.
December 3, 20253 min

A striking abstract composition features clear and blue crystalline structures, white textured formations, and smooth white and silver spheres emerging from dark blue water under a clear sky. The elements are arranged centrally, creating a sense of balance and depth
The image features white spheres, white rings, and clusters of blue and clear geometric cubes interconnected by transparent lines. These elements form an intricate, abstract system against a dark background, visually representing a sophisticated decentralized network architecture

Briefing

The Yearn Finance protocol suffered a critical economic exploit targeting its legacy yETH stableswap pool via an arithmetic flaw in the token contract. This vulnerability allowed the threat actor to mint an effectively infinite supply of yETH, which was then used to drain real assets from associated Balancer liquidity pools. The total confirmed loss from this sophisticated, single-transaction attack is estimated at approximately $9 million.

A luminous blue core radiates within a translucent, interconnected molecular structure against a dark grey background, with multiple spherical nodes linked by flowing, glass-like conduits. The composition visually represents a complex, abstract network, with light emanating from central and peripheral elements

Context

The prevailing risk in the DeFi ecosystem involves the maintenance of legacy smart contracts, which often lack the rigorous security standards of modern, audited versions. This specific attack surface was a known factor, as the affected yETH contract was an older implementation, separate from the protocol’s more secure V2 and V3 vaults. The complexity of inter-protocol dependencies also created contagion risk for external pools relying on the compromised token.

The image displays an abstract composition of metallic, cylindrical objects interspersed with voluminous clouds of white and blue smoke. A glowing, textured sphere resembling the moon is centrally positioned among the metallic forms

Analysis

The attacker leveraged an unchecked arithmetic flaw, specifically a missing division operation, within the legacy yETH token contract’s calculation logic. This logic error allowed the virtual balance product to inflate uncontrollably, enabling the minting of over 235 trillion yETH tokens in a single, atomic transaction. The newly minted, valueless tokens were immediately swapped for valuable assets, including ETH and liquid staking tokens, from the yETH-LST stableswap pools. The attacker subsequently laundered a portion of the stolen funds, approximately 1,000 ETH, via the Tornado Cash privacy mixer.

A complex, abstract structure of clear, reflective material features intertwined and layered forms, surrounding a vibrant blue, spherical core. Light reflects and refracts across its surfaces, creating a sense of depth and transparency

Parameters

  • Total Funds Lost → $9 Million (The estimated total value of assets drained from the yETH stableswap and yETH-WETH pools).
  • Exploit VectorInfinite Token Minting (The core vulnerability allowing the creation of a virtually unlimited token supply).
  • Recovery Amount → $2.4 Million (The value of assets successfully recovered by the protocol through a coordinated effort).
  • Laundering Channel → Tornado Cash (The privacy mixer used to obfuscate the trail of approximately 1,000 ETH).

A futuristic metallic device, possibly a satellite or specialized node, is partially submerged in a calm body of water. From its lower section, a vigorous stream of bright blue liquid, intermingled with white foam, forcefully ejects, creating dynamic ripples and splashes on the water's surface

Outlook

Protocols must immediately prioritize the retirement or rigorous re-auditing of all legacy contracts, as they represent a disproportionate and systemic security risk. Users should verify that their staked assets are exclusively within V2 or V3 vaults, which remain secure, and be aware of potential contagion risk to other pools relying on the deprecated yETH token. This incident will likely drive new auditing standards focused on complex arithmetic and dependency management in stableswap pool implementations.

A close-up view reveals a dense arrangement of metallic components, dominated by vibrant blue conduits and gleaming silver machinery. These blue tubes, bound by metallic fasteners, snake through a core of interlocking gears and abstract metallic shapes, creating a sense of organized complexity

Verdict

This exploit confirms that legacy contract debt and unchecked arithmetic remain a critical, high-value vulnerability that can be leveraged for total pool drainage in a single, atomic transaction.

Arithmetic flaw, infinite mint exploit, legacy contract risk, token supply manipulation, stableswap pool drain, DeFi security breach, unchecked math logic, liquidity pool exploit, smart contract vulnerability, on-chain forensic analysis, asset recovery operation, decentralized finance threat, token contract design, external pool contagion, single transaction attack Signal Acquired from → coinlaw.io

Micro Crypto News Feeds

arithmetic flaw

Definition ∞ An arithmetic flaw is a computational error within a system.

contagion risk

Definition ∞ Contagion Risk describes the potential for financial distress at one entity or market segment to spread rapidly to others.

atomic transaction

Definition ∞ An atomic transaction is a sequence of operations that either completely finishes or completely fails, leaving no partial results.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

recovery

Definition ∞ Recovery, in a financial context, signifies the process by which an asset, market, or economy regains value after a period of decline.

privacy mixer

Definition ∞ A privacy mixer is a service designed to obscure the transaction history of cryptocurrencies.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

legacy contract

Definition ∞ A legacy contract in the digital asset space refers to an older smart contract or a version of a protocol that is no longer actively maintained, updated, or considered the primary operational version.

Tags:

Tags: