Security

Yearn Finance Legacy Contract Exploited by Infinite Token Minting Flaw

Unchecked arithmetic in a legacy yETH contract allowed an attacker to mint infinite tokens, creating a systemic risk for all dependent liquidity pools.
December 3, 20253 min

A white spherical object with dark openings, encircled by a white ring, is positioned centrally amidst textured blue and clear forms. The vibrant blue mass occupies the left, while the transparent, icy texture is on the right, all against a dark, glowing background
A striking abstract composition features highly reflective, undulating silver forms intricately intertwined with translucent, deep blue, fluid-like structures against a soft grey backdrop. The interplay of light and shadow highlights the smooth, polished surfaces and the depth of the blue elements, creating a sense of dynamic motion and complex integration

Briefing

The Yearn Finance protocol suffered a critical economic exploit targeting its legacy yETH stableswap pool via an arithmetic flaw in the token contract. This vulnerability allowed the threat actor to mint an effectively infinite supply of yETH, which was then used to drain real assets from associated Balancer liquidity pools. The total confirmed loss from this sophisticated, single-transaction attack is estimated at approximately $9 million.

The image displays an abstract arrangement of soft white, cloud-like masses, translucent blue geometric shapes, and polished silver rings. A textured white sphere, resembling a moon, is centrally placed among these elements against a dark blue background

Context

The prevailing risk in the DeFi ecosystem involves the maintenance of legacy smart contracts, which often lack the rigorous security standards of modern, audited versions. This specific attack surface was a known factor, as the affected yETH contract was an older implementation, separate from the protocol’s more secure V2 and V3 vaults. The complexity of inter-protocol dependencies also created contagion risk for external pools relying on the compromised token.

A gleaming silver digital asset token, embossed with a prominent geometric emblem, is securely positioned by a sophisticated metallic mechanism. This central element is enveloped by a dynamic array of deep blue, intertwined tubular structures, exhibiting varied textures from granular glitter to intricate water droplets

Analysis

The attacker leveraged an unchecked arithmetic flaw, specifically a missing division operation, within the legacy yETH token contract’s calculation logic. This logic error allowed the virtual balance product to inflate uncontrollably, enabling the minting of over 235 trillion yETH tokens in a single, atomic transaction. The newly minted, valueless tokens were immediately swapped for valuable assets, including ETH and liquid staking tokens, from the yETH-LST stableswap pools. The attacker subsequently laundered a portion of the stolen funds, approximately 1,000 ETH, via the Tornado Cash privacy mixer.

The image displays a transparent, glass-like molecular structure, featuring a central spherical component encased in metallic wires, connected to a branching network. Blue liquid or light fills the transparent material, creating a sense of dynamic flow within the structure

Parameters

  • Total Funds Lost → $9 Million (The estimated total value of assets drained from the yETH stableswap and yETH-WETH pools).
  • Exploit VectorInfinite Token Minting (The core vulnerability allowing the creation of a virtually unlimited token supply).
  • Recovery Amount → $2.4 Million (The value of assets successfully recovered by the protocol through a coordinated effort).
  • Laundering Channel → Tornado Cash (The privacy mixer used to obfuscate the trail of approximately 1,000 ETH).

The image displays a sophisticated abstract 3D render featuring a central blue mechanical ring structure. This intricate core is surrounded by a metallic, braided cage, dark spheres, and translucent white flowing elements, all set against a dark, reflective background

Outlook

Protocols must immediately prioritize the retirement or rigorous re-auditing of all legacy contracts, as they represent a disproportionate and systemic security risk. Users should verify that their staked assets are exclusively within V2 or V3 vaults, which remain secure, and be aware of potential contagion risk to other pools relying on the deprecated yETH token. This incident will likely drive new auditing standards focused on complex arithmetic and dependency management in stableswap pool implementations.

The visual presents a series of concentric, semi-transparent blue rings, some containing or interacting with white, cloud-like formations. These elements are set against a gradient dark background, creating a sense of depth and dynamic movement

Verdict

This exploit confirms that legacy contract debt and unchecked arithmetic remain a critical, high-value vulnerability that can be leveraged for total pool drainage in a single, atomic transaction.

Arithmetic flaw, infinite mint exploit, legacy contract risk, token supply manipulation, stableswap pool drain, DeFi security breach, unchecked math logic, liquidity pool exploit, smart contract vulnerability, on-chain forensic analysis, asset recovery operation, decentralized finance threat, token contract design, external pool contagion, single transaction attack Signal Acquired from → coinlaw.io

Micro Crypto News Feeds

arithmetic flaw

Definition ∞ An arithmetic flaw is a computational error within a system.

contagion risk

Definition ∞ Contagion Risk describes the potential for financial distress at one entity or market segment to spread rapidly to others.

atomic transaction

Definition ∞ An atomic transaction is a sequence of operations that either completely finishes or completely fails, leaving no partial results.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

recovery

Definition ∞ Recovery, in a financial context, signifies the process by which an asset, market, or economy regains value after a period of decline.

privacy mixer

Definition ∞ A privacy mixer is a service designed to obscure the transaction history of cryptocurrencies.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

legacy contract

Definition ∞ A legacy contract in the digital asset space refers to an older smart contract or a version of a protocol that is no longer actively maintained, updated, or considered the primary operational version.

Tags:

Tags: