Yearn Finance Legacy yETH Pool Drained via Infinite Token Minting Flaw → Security

A translucent, irregularly shaped object, covered in numerous water droplets, reveals a deep blue interior and a smooth, light-colored central opening. The object's surface exhibits a textured, almost frosted appearance due to the condensation, contrasting with the vibrant, uniform blue within

A large, faceted, translucent blue object, resembling a sculpted gem, is prominently displayed, with a smaller, dark blue, round gem embedded on its surface. A second, dark blue, faceted gem is blurred in the background

Briefing

The Yearn Finance protocol suffered a significant economic exploit targeting its legacy yETH stableswap pool, resulting in a direct loss of user funds. This breach was a result of a critical logic vulnerability within the pool’s custom token minting function, which allowed a malicious actor to create an effectively infinite supply of the yETH token. The attacker subsequently swapped these worthless tokens for real assets, draining the entire pool’s liquidity in a single, atomic transaction. The total quantifiable loss from this sophisticated smart contract exploit is approximately $9 million.

A detailed close-up showcases a sophisticated assembly of metallic blue and silver mechanical or electronic components, interconnected by numerous blue wires against a blurred blue background. The intricate structure features various bolts, plates, and what appear to be data modules, highlighting precision engineering

Context

The prevailing risk factor for established DeFi protocols is the operational maintenance of legacy smart contracts, which often contain complex, custom logic that predates modern auditing standards. This incident leveraged a known class of vulnerability → the failure to properly decommission or fully secure older contracts that remain integrated into the protocol’s architecture. The complexity of combining liquid staking derivatives (LSTs) with custom swap code also introduced an unmitigated attack surface.

The image showcases a detailed close-up of a precision-engineered mechanical component, featuring a central metallic shaft surrounded by multiple concentric rings and blue structural elements. The intricate design highlights advanced manufacturing and material science, with brushed metal textures and dark inner mechanisms

Analysis

The attack vector was a precision manipulation exploit rooted in the yETH stableswap pool’s custom logic for calculating the token’s exchange rate or “rate-update” function. The attacker exploited a flaw in the mint function, which did not correctly validate the input or the resulting token supply, enabling the creation of over 235 trillion yETH tokens. By injecting this massive, fraudulently minted supply, the attacker was able to artificially inflate the token’s value within the pool’s internal accounting. This manipulation allowed them to redeem all genuine underlying assets (ETH and LSTs) from the pool in a single, atomic transaction, demonstrating a failure of the contract’s invariant checks to prevent the state change.

A white, textured sphere rests within a dynamic, translucent blue, fluid-like structure, set against a light grey background. The blue form exhibits complex ripples and varying opacities, appearing to cradle the sphere

Parameters

Total Financial Loss → ~$9 Million USD – The estimated value of assets drained from the affected pools.
Vulnerability Type → Infinite Token Minting Flaw – A critical logic error in the legacy yETH contract’s mint function.
Stolen Funds Route → ~1,000 ETH to Tornado Cash – The initial amount of the stolen funds routed to a mixer for obfuscation.
Affected Component → Legacy yETH Stableswap Pool – The specific, older smart contract isolated from the protocol’s V2/V3 infrastructure.

A detailed close-up reveals a futuristic, mechanical object with a central white circular hub featuring a dark, reflective spherical lens. Numerous blue, faceted, blade-like structures radiate outwards from this central hub, creating a complex, symmetrical pattern against a soft grey background

Outlook

Immediate mitigation for users involves confirming that their assets are not staked in or approved for interaction with any legacy or unaudited contracts. For the wider ecosystem, this incident mandates an aggressive, systemic review of all non-core, legacy contracts and the immediate implementation of a formal decommissioning or migration plan for all V1/V2 infrastructure. The new security best practice will emphasize the necessity of rigorous, formal verification for any custom stableswap or pricing logic, especially when integrating volatile liquid staking derivatives.

A detailed view reveals a dynamic interplay of translucent, deep blue, viscous material forming wave-like structures over a dark, linear grid. Centrally, a textured white sphere is securely held and partially submerged by this blue substance

Verdict

This $9 million exploit confirms that the greatest systemic risk in mature DeFi protocols remains the operational security posture around unmigrated, complex legacy contracts.

smart contract exploit, infinite mint vulnerability, DeFi protocol drain, token supply manipulation, liquidity pool attack, legacy contract risk, stableswap pool flaw, on-chain forensic analysis, yield aggregator security, Ethereum LST derivative, pricing manipulation, atomic transaction, code fragility, invariant check failure, fund obfuscation, liquid staking token, multi-chain risk assessment, protocol treasury risk, governance proposal, smart contract auditor, security post-mortem, asset recovery plan, decentralized finance risk, token vault security. Signal Acquired from → banklesstimes.com