Security

Yearn Finance Legacy yETH Pool Drained via Infinite Token Minting Flaw

A critical logic flaw in a legacy stableswap pool enabled an attacker to mint an unlimited token supply, compromising liquidity pool integrity.
December 2, 20253 min

A clear, spherical object with internal white and blue geometric elements is centered in the image. The background is softly blurred, showing additional white spheres and blue and dark abstract forms
A large, faceted, translucent blue object, resembling a sculpted gem, is prominently displayed, with a smaller, dark blue, round gem embedded on its surface. A second, dark blue, faceted gem is blurred in the background

Briefing

The Yearn Finance protocol suffered a significant economic exploit targeting its legacy yETH stableswap pool, resulting in a direct loss of user funds. This breach was a result of a critical logic vulnerability within the pool’s custom token minting function, which allowed a malicious actor to create an effectively infinite supply of the yETH token. The attacker subsequently swapped these worthless tokens for real assets, draining the entire pool’s liquidity in a single, atomic transaction. The total quantifiable loss from this sophisticated smart contract exploit is approximately $9 million.

The image displays a transparent, ring-like structure containing a textured, frothy blue substance. A white spherical object is suspended centrally, with a thin stream of clear liquid flowing over the blue substance and around the sphere

Context

The prevailing risk factor for established DeFi protocols is the operational maintenance of legacy smart contracts, which often contain complex, custom logic that predates modern auditing standards. This incident leveraged a known class of vulnerability → the failure to properly decommission or fully secure older contracts that remain integrated into the protocol’s architecture. The complexity of combining liquid staking derivatives (LSTs) with custom swap code also introduced an unmitigated attack surface.

The image showcases a detailed close-up of a precision-engineered mechanical component, featuring a central metallic shaft surrounded by multiple concentric rings and blue structural elements. The intricate design highlights advanced manufacturing and material science, with brushed metal textures and dark inner mechanisms

Analysis

The attack vector was a precision manipulation exploit rooted in the yETH stableswap pool’s custom logic for calculating the token’s exchange rate or “rate-update” function. The attacker exploited a flaw in the mint function, which did not correctly validate the input or the resulting token supply, enabling the creation of over 235 trillion yETH tokens. By injecting this massive, fraudulently minted supply, the attacker was able to artificially inflate the token’s value within the pool’s internal accounting. This manipulation allowed them to redeem all genuine underlying assets (ETH and LSTs) from the pool in a single, atomic transaction, demonstrating a failure of the contract’s invariant checks to prevent the state change.

A brilliant blue, perfectly spherical digital asset token is cradled within a dynamic, translucent water splash, set upon an advanced technological base. The intricate design features dark blue and metallic silver components, suggesting a robust computational infrastructure

Parameters

  • Total Financial Loss → ~$9 Million USD – The estimated value of assets drained from the affected pools.
  • Vulnerability TypeInfinite Token Minting Flaw – A critical logic error in the legacy yETH contract’s mint function.
  • Stolen Funds Route → ~1,000 ETH to Tornado Cash – The initial amount of the stolen funds routed to a mixer for obfuscation.
  • Affected Component → Legacy yETH Stableswap Pool – The specific, older smart contract isolated from the protocol’s V2/V3 infrastructure.

A close-up view reveals a highly detailed, metallic mechanical component, featuring various shafts and finely machined surfaces, partially submerged within a vibrant, translucent blue material that exhibits a textured, fluid-like appearance with subtle bubbles. The background offers a soft, out-of-focus gradient of blues and grays, emphasizing the intricate foreground subject, suggesting a high-tech operational environment

Outlook

Immediate mitigation for users involves confirming that their assets are not staked in or approved for interaction with any legacy or unaudited contracts. For the wider ecosystem, this incident mandates an aggressive, systemic review of all non-core, legacy contracts and the immediate implementation of a formal decommissioning or migration plan for all V1/V2 infrastructure. The new security best practice will emphasize the necessity of rigorous, formal verification for any custom stableswap or pricing logic, especially when integrating volatile liquid staking derivatives.

A pristine white, textured material, resembling raw data or unverified transaction inputs, is shown interacting with a translucent, deep blue, structured element. This blue component, embodying a decentralized ledger or a sophisticated smart contract protocol, displays intricate, web-like patterns that signify cryptographic hashing and distributed node connectivity

Verdict

This $9 million exploit confirms that the greatest systemic risk in mature DeFi protocols remains the operational security posture around unmigrated, complex legacy contracts.

smart contract exploit, infinite mint vulnerability, DeFi protocol drain, token supply manipulation, liquidity pool attack, legacy contract risk, stableswap pool flaw, on-chain forensic analysis, yield aggregator security, Ethereum LST derivative, pricing manipulation, atomic transaction, code fragility, invariant check failure, fund obfuscation, liquid staking token, multi-chain risk assessment, protocol treasury risk, governance proposal, smart contract auditor, security post-mortem, asset recovery plan, decentralized finance risk, token vault security. Signal Acquired from → banklesstimes.com

Micro Crypto News Feeds

smart contract exploit

Definition ∞ A smart contract exploit is a security vulnerability within a self-executing contract that is intentionally leveraged by malicious actors.

liquid staking derivatives

Definition ∞ Liquid Staking Derivatives (LSDs) are tokenized representations of staked cryptocurrencies, allowing users to retain liquidity while participating in proof-of-stake network validation.

atomic transaction

Definition ∞ An atomic transaction is a sequence of operations that either completely finishes or completely fails, leaving no partial results.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

stolen funds

Definition ∞ Stolen funds represent digital assets that have been unlawfully acquired from their rightful owners.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

staking derivatives

Definition ∞ Staking derivatives are liquid tokens that represent staked assets on a proof-of-stake blockchain, allowing users to maintain liquidity while earning staking rewards.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

Tags:

Tags: