Yearn Finance Legacy Pool Drained Exploiting Infinite Token Minting Logic Flaw → Security

A gleaming metallic circular component, resembling a precision engineered mechanism, is partially submerged and surrounded by dynamic blue liquid and frothy white foam. In the background, blurred blue lines extend across a dark surface, suggesting intricate digital pathways and data flows within a sophisticated technological environment

A gleaming silver digital asset token, embossed with a prominent geometric emblem, is securely positioned by a sophisticated metallic mechanism. This central element is enveloped by a dynamic array of deep blue, intertwined tubular structures, exhibiting varied textures from granular glitter to intricate water droplets

Briefing

A critical security incident has compromised a legacy Yearn Finance yETH stableswap pool, resulting in an approximate $9 million loss of deposited assets. The core of the exploit was a fundamental logic flaw within a custom stableswap contract that permitted the attacker to mint a near-infinite supply of unbacked yETH tokens in a single transaction. This immediate and unauthorized token inflation was then used to drain the entire underlying liquidity pool before the protocol could initiate a response. The total loss is quantified at $9 million, with the attacker subsequently routing a portion of the stolen funds through the Tornado Cash mixer for obfuscation.

A close-up shot displays a highly detailed, silver-toned mechanical device nestled within a textured, deep blue material. The device features multiple intricate components, including a circular sensor and various ports, suggesting advanced functionality

Context

The prevailing risk factor in the DeFi ecosystem remains the maintenance of legacy or custom-forked smart contracts that operate outside of a protocol’s core, currently-audited architecture. This specific attack leveraged a vulnerability in a custom stableswap implementation, which, despite being a known class of high-risk code, was not fully integrated into the protocol’s modern security posture. The incident highlights the systemic danger posed by unaudited or outdated components within a broader, multi-version protocol, where a single point of failure can be exploited for an economic drain.

A detailed close-up presents a sophisticated, multi-layered metallic mechanism, featuring vibrant blue and silver components with intricate grooves, partially obscured by a translucent, effervescent blue surface teeming with countless tiny bubbles. The foreground's bubbly texture contrasts with the precise engineering of the hidden structure

Analysis

The incident’s technical mechanics centered on a flaw in the yETH token’s underlying stableswap logic, specifically within the mint function’s internal accounting. The attacker initiated a transaction that exploited this logic, allowing them to bypass the collateral check and mint an extremely large, unbacked amount of yETH tokens. This immediate, fraudulent supply inflation artificially increased the attacker’s pool share, enabling them to redeem their newly minted tokens for the pool’s entire legitimate underlying asset reserves. The exploit was successful because the custom contract’s state validation failed to properly account for the token’s true backing, making it susceptible to a single, high-leverage transaction.

Abstract, flowing forms in translucent white and vibrant deep blue dominate the frame, set against a dark, gradient background. The composition features smooth, overlapping layers that create a sense of depth and continuous movement, with light reflecting off the polished surfaces

Parameters

Total Funds Lost → $9,000,000 USD (Approximate total value drained from the affected yETH stableswap pools.)
Attack Vector → Infinite Token Minting Flaw (A logic error in the custom contract’s mint function.)
Affected Component → Legacy yETH Stableswap Pool (A custom, older version of a liquidity pool contract.)
Funds Laundered → 1,000 ETH (The approximate value of ETH sent to Tornado Cash for anonymization.)

A close-up view reveals a highly detailed, metallic mechanical component, featuring various shafts and finely machined surfaces, partially submerged within a vibrant, translucent blue material that exhibits a textured, fluid-like appearance with subtle bubbles. The background offers a soft, out-of-focus gradient of blues and grays, emphasizing the intricate foreground subject, suggesting a high-tech operational environment

Outlook

The immediate mitigation step for users is to withdraw any remaining liquidity from all non-core, legacy pools, as this incident confirms the critical risk of outdated contract logic. The primary second-order effect is a heightened scrutiny on all custom stableswap implementations and older, unaudited DeFi contracts across the ecosystem, suggesting a contagion risk for protocols with similar architectural debt. This event will establish a new security best practice → the mandatory and immediate decommissioning or formal, high-assurance audit of all legacy contract versions to prevent them from becoming an attack surface.

The exploitation of a fundamental token minting flaw in a legacy contract confirms that architectural debt is now a critical and quantifiable risk to capital within the decentralized finance sector.

stableswap exploit, infinite mint vulnerability, DeFi logic flaw, liquidity pool drain, token contract error, single transaction attack, economic exploit, smart contract risk, legacy code audit, decentralized finance security, yETH token, asset loss, contract state manipulation, on-chain forensics, protocol insolvency, reentrancy risk, flash loan vector, token supply inflation, critical vulnerability, asset management, risk mitigation, security audit, code verification, multi-chain security Signal Acquired from → forklog.com