Yearn Finance Legacy Pool Drained Exploiting Infinite Token Minting Logic Flaw → Security

The image presents a macro perspective of a textured blue granular mass interacting with metallic, modular structures. These components are embedded within and around the substance, showcasing a complex interplay of forms and textures

A close-up view presents a highly detailed metallic component, possibly a specialized bearing or engine part, immersed in a dynamic field of white, frothy bubbles. The underlying structure appears to be a deep blue, multi-faceted material, suggesting a complex internal system

Briefing

A critical security incident has compromised a legacy Yearn Finance yETH stableswap pool, resulting in an approximate $9 million loss of deposited assets. The core of the exploit was a fundamental logic flaw within a custom stableswap contract that permitted the attacker to mint a near-infinite supply of unbacked yETH tokens in a single transaction. This immediate and unauthorized token inflation was then used to drain the entire underlying liquidity pool before the protocol could initiate a response. The total loss is quantified at $9 million, with the attacker subsequently routing a portion of the stolen funds through the Tornado Cash mixer for obfuscation.

A dark blue, spherical digital asset is partially enveloped by a translucent, light blue, flowing material. This enveloping layer is speckled with numerous tiny white particles, creating a dynamic, abstract composition against a soft grey background

Context

The prevailing risk factor in the DeFi ecosystem remains the maintenance of legacy or custom-forked smart contracts that operate outside of a protocol’s core, currently-audited architecture. This specific attack leveraged a vulnerability in a custom stableswap implementation, which, despite being a known class of high-risk code, was not fully integrated into the protocol’s modern security posture. The incident highlights the systemic danger posed by unaudited or outdated components within a broader, multi-version protocol, where a single point of failure can be exploited for an economic drain.

A vibrant, faceted blue crystalline structure, appearing like a solidified, flowing substance, rests upon a brushed metallic surface. The blue entity exhibits numerous reflective facets, while the metal features fine horizontal lines and a visible screw head

Analysis

The incident’s technical mechanics centered on a flaw in the yETH token’s underlying stableswap logic, specifically within the mint function’s internal accounting. The attacker initiated a transaction that exploited this logic, allowing them to bypass the collateral check and mint an extremely large, unbacked amount of yETH tokens. This immediate, fraudulent supply inflation artificially increased the attacker’s pool share, enabling them to redeem their newly minted tokens for the pool’s entire legitimate underlying asset reserves. The exploit was successful because the custom contract’s state validation failed to properly account for the token’s true backing, making it susceptible to a single, high-leverage transaction.

A prominent blue faceted object, resembling a polished crystal, is situated within a foamy, dark blue liquid on a dark display screen. The screen beneath illuminates with bright blue data visualizations, depicting graphs and grid lines, all resting on a sleek, multi-tiered metallic base

Parameters

Total Funds Lost → $9,000,000 USD (Approximate total value drained from the affected yETH stableswap pools.)
Attack Vector → Infinite Token Minting Flaw (A logic error in the custom contract’s mint function.)
Affected Component → Legacy yETH Stableswap Pool (A custom, older version of a liquidity pool contract.)
Funds Laundered → 1,000 ETH (The approximate value of ETH sent to Tornado Cash for anonymization.)

The image presents a detailed view of a high-tech apparatus featuring metallic and translucent blue elements, with clear blue water actively splashing and flowing around its intricate parts. Bright blue light glows from within the mechanism, emphasizing its dynamic and complex internal workings

Outlook

The immediate mitigation step for users is to withdraw any remaining liquidity from all non-core, legacy pools, as this incident confirms the critical risk of outdated contract logic. The primary second-order effect is a heightened scrutiny on all custom stableswap implementations and older, unaudited DeFi contracts across the ecosystem, suggesting a contagion risk for protocols with similar architectural debt. This event will establish a new security best practice → the mandatory and immediate decommissioning or formal, high-assurance audit of all legacy contract versions to prevent them from becoming an attack surface.

The exploitation of a fundamental token minting flaw in a legacy contract confirms that architectural debt is now a critical and quantifiable risk to capital within the decentralized finance sector.

stableswap exploit, infinite mint vulnerability, DeFi logic flaw, liquidity pool drain, token contract error, single transaction attack, economic exploit, smart contract risk, legacy code audit, decentralized finance security, yETH token, asset loss, contract state manipulation, on-chain forensics, protocol insolvency, reentrancy risk, flash loan vector, token supply inflation, critical vulnerability, asset management, risk mitigation, security audit, code verification, multi-chain security Signal Acquired from → forklog.com