Security

Yearn Finance Legacy Pool Drained Exploiting Infinite Token Minting Logic Flaw

A critical logic flaw in a custom stableswap contract allowed an attacker to mint unbacked yETH, leading to an immediate $9 million liquidity drain.
December 1, 20253 min

A sharp, metallic, silver-grey structure, partially covered in white snow, emerges from a vibrant blue, textured mass, itself snow-dusted and resting in calm, rippling water. Another smaller, similar blue and white formation is visible to the left, all set against a soft, cloudy sky
A luminous, multifaceted crystal, glowing with blue light, is nestled within a dark, textured structure, partially covered by a white, granular substance. The central clear crystal represents a high-value digital asset, perhaps a core token or a non-fungible token NFT with significant utility

Briefing

A critical security incident has compromised a legacy Yearn Finance yETH stableswap pool, resulting in an approximate $9 million loss of deposited assets. The core of the exploit was a fundamental logic flaw within a custom stableswap contract that permitted the attacker to mint a near-infinite supply of unbacked yETH tokens in a single transaction. This immediate and unauthorized token inflation was then used to drain the entire underlying liquidity pool before the protocol could initiate a response. The total loss is quantified at $9 million, with the attacker subsequently routing a portion of the stolen funds through the Tornado Cash mixer for obfuscation.

A detailed close-up presents a sophisticated, multi-layered metallic mechanism, featuring vibrant blue and silver components with intricate grooves, partially obscured by a translucent, effervescent blue surface teeming with countless tiny bubbles. The foreground's bubbly texture contrasts with the precise engineering of the hidden structure

Context

The prevailing risk factor in the DeFi ecosystem remains the maintenance of legacy or custom-forked smart contracts that operate outside of a protocol’s core, currently-audited architecture. This specific attack leveraged a vulnerability in a custom stableswap implementation, which, despite being a known class of high-risk code, was not fully integrated into the protocol’s modern security posture. The incident highlights the systemic danger posed by unaudited or outdated components within a broader, multi-version protocol, where a single point of failure can be exploited for an economic drain.

A textured, translucent blue abstract form, reminiscent of a dynamic liquidity pool or data stream, partially envelops a polished, silver-toned metallic structure. This sleek, engineered component, potentially representing a smart contract framework or layer-1 protocol, precisely interfaces with the organic blue material

Analysis

The incident’s technical mechanics centered on a flaw in the yETH token’s underlying stableswap logic, specifically within the mint function’s internal accounting. The attacker initiated a transaction that exploited this logic, allowing them to bypass the collateral check and mint an extremely large, unbacked amount of yETH tokens. This immediate, fraudulent supply inflation artificially increased the attacker’s pool share, enabling them to redeem their newly minted tokens for the pool’s entire legitimate underlying asset reserves. The exploit was successful because the custom contract’s state validation failed to properly account for the token’s true backing, making it susceptible to a single, high-leverage transaction.

A striking abstract composition features clear and blue crystalline structures, white textured formations, and smooth white and silver spheres emerging from dark blue water under a clear sky. The elements are arranged centrally, creating a sense of balance and depth

Parameters

  • Total Funds Lost → $9,000,000 USD (Approximate total value drained from the affected yETH stableswap pools.)
  • Attack VectorInfinite Token Minting Flaw (A logic error in the custom contract’s mint function.)
  • Affected Component → Legacy yETH Stableswap Pool (A custom, older version of a liquidity pool contract.)
  • Funds Laundered → 1,000 ETH (The approximate value of ETH sent to Tornado Cash for anonymization.)

A close-up view reveals a transparent blue module, resembling a core blockchain protocol component, interacting with a bubbly, agitated liquid. Its visible internal mechanisms suggest an active transaction execution engine, while metallic rings could represent critical staking pool gateways or oracle network feeds

Outlook

The immediate mitigation step for users is to withdraw any remaining liquidity from all non-core, legacy pools, as this incident confirms the critical risk of outdated contract logic. The primary second-order effect is a heightened scrutiny on all custom stableswap implementations and older, unaudited DeFi contracts across the ecosystem, suggesting a contagion risk for protocols with similar architectural debt. This event will establish a new security best practice → the mandatory and immediate decommissioning or formal, high-assurance audit of all legacy contract versions to prevent them from becoming an attack surface.

The exploitation of a fundamental token minting flaw in a legacy contract confirms that architectural debt is now a critical and quantifiable risk to capital within the decentralized finance sector.

stableswap exploit, infinite mint vulnerability, DeFi logic flaw, liquidity pool drain, token contract error, single transaction attack, economic exploit, smart contract risk, legacy code audit, decentralized finance security, yETH token, asset loss, contract state manipulation, on-chain forensics, protocol insolvency, reentrancy risk, flash loan vector, token supply inflation, critical vulnerability, asset management, risk mitigation, security audit, code verification, multi-chain security Signal Acquired from → forklog.com

Micro Crypto News Feeds

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

supply inflation

Definition ∞ Supply inflation refers to an increase in the quantity of a currency or asset in circulation.

funds

Definition ∞ Funds, in the context of digital assets, refer to pools of capital pooled together for investment in cryptocurrencies, tokens, or other digital ventures.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

mitigation

Definition ∞ Mitigation refers to actions taken to reduce the severity, seriousness, or harmfulness of something.

Tags:

Tags: