Yearn Finance Legacy yETH Pool Drained via Infinite Token Minting Flaw → Security

A polished, multi-layered metallic mechanism descends into a vibrant, translucent blue liquid, with blue rod-like structures extending from it. White foam actively bubbles at the liquid's surface around the metallic component, set against a soft, light gray background

A vibrant blue, translucent fluid element appears to flow continuously above a complex, dark blue transparent mechanism. This mechanism, intricately detailed with internal structures, is mounted on a robust, dark gray ribbed base, against a soft, blurred background of light gray and deep blue forms

Briefing

The Yearn Finance protocol suffered a significant economic exploit targeting its legacy yETH stableswap pool, resulting in a direct loss of user funds. This breach was a result of a critical logic vulnerability within the pool’s custom token minting function, which allowed a malicious actor to create an effectively infinite supply of the yETH token. The attacker subsequently swapped these worthless tokens for real assets, draining the entire pool’s liquidity in a single, atomic transaction. The total quantifiable loss from this sophisticated smart contract exploit is approximately $9 million.

A highly detailed render showcases a sophisticated blue and silver mechanical component, partially obscured and connected by an ethereal, translucent, web-like material. This intricate lattice appears to stretch and adhere to the device, highlighting its complex integration

Context

The prevailing risk factor for established DeFi protocols is the operational maintenance of legacy smart contracts, which often contain complex, custom logic that predates modern auditing standards. This incident leveraged a known class of vulnerability → the failure to properly decommission or fully secure older contracts that remain integrated into the protocol’s architecture. The complexity of combining liquid staking derivatives (LSTs) with custom swap code also introduced an unmitigated attack surface.

A luminous, translucent blue-grey amorphous structure elegantly envelops a vibrant, solid blue sphere, set against a subtle gradient background. The flowing, organic forms create a sense of depth and protection around the central element

Analysis

The attack vector was a precision manipulation exploit rooted in the yETH stableswap pool’s custom logic for calculating the token’s exchange rate or “rate-update” function. The attacker exploited a flaw in the mint function, which did not correctly validate the input or the resulting token supply, enabling the creation of over 235 trillion yETH tokens. By injecting this massive, fraudulently minted supply, the attacker was able to artificially inflate the token’s value within the pool’s internal accounting. This manipulation allowed them to redeem all genuine underlying assets (ETH and LSTs) from the pool in a single, atomic transaction, demonstrating a failure of the contract’s invariant checks to prevent the state change.

A sophisticated metallic assembly, comprising interconnected silver and black geometric elements and visible bearings, is depicted partially submerged within a pale blue, granular substance. Beneath this textured surface, an intensely luminous electric blue network, characterized by intricate, flowing patterns, suggests a foundational digital architecture

Parameters

Total Financial Loss → ~$9 Million USD – The estimated value of assets drained from the affected pools.
Vulnerability Type → Infinite Token Minting Flaw – A critical logic error in the legacy yETH contract’s mint function.
Stolen Funds Route → ~1,000 ETH to Tornado Cash – The initial amount of the stolen funds routed to a mixer for obfuscation.
Affected Component → Legacy yETH Stableswap Pool – The specific, older smart contract isolated from the protocol’s V2/V3 infrastructure.

A close-up view highlights a pristine, white and metallic modular mechanism, featuring interlocking components and a central circular interface. The deep blue background provides a stark contrast, emphasizing the intricate details of the polished silver elements and smooth, rounded white casings

Outlook

Immediate mitigation for users involves confirming that their assets are not staked in or approved for interaction with any legacy or unaudited contracts. For the wider ecosystem, this incident mandates an aggressive, systemic review of all non-core, legacy contracts and the immediate implementation of a formal decommissioning or migration plan for all V1/V2 infrastructure. The new security best practice will emphasize the necessity of rigorous, formal verification for any custom stableswap or pricing logic, especially when integrating volatile liquid staking derivatives.

A futuristic metallic device, possibly a satellite or specialized node, is partially submerged in a calm body of water. From its lower section, a vigorous stream of bright blue liquid, intermingled with white foam, forcefully ejects, creating dynamic ripples and splashes on the water's surface

Verdict

This $9 million exploit confirms that the greatest systemic risk in mature DeFi protocols remains the operational security posture around unmigrated, complex legacy contracts.

smart contract exploit, infinite mint vulnerability, DeFi protocol drain, token supply manipulation, liquidity pool attack, legacy contract risk, stableswap pool flaw, on-chain forensic analysis, yield aggregator security, Ethereum LST derivative, pricing manipulation, atomic transaction, code fragility, invariant check failure, fund obfuscation, liquid staking token, multi-chain risk assessment, protocol treasury risk, governance proposal, smart contract auditor, security post-mortem, asset recovery plan, decentralized finance risk, token vault security. Signal Acquired from → banklesstimes.com