Security

Yearn Finance Legacy yETH Pool Drained via Infinite Token Minting Flaw

A critical logic flaw in a legacy stableswap pool enabled an attacker to mint an unlimited token supply, compromising liquidity pool integrity.
December 2, 20253 min

A close-up view reveals a transparent, multi-chambered mechanism containing distinct white granular material actively moving over a textured blue base. The white substance appears agitated and flowing, guided by the clear structural elements, with a circular metallic component visible within the blue substrate
A large, textured sphere, resembling a celestial body, partially submerges in dark blue liquid, generating dynamic splashes. Smaller white spheres interact with the fluid

Briefing

The Yearn Finance protocol suffered a significant economic exploit targeting its legacy yETH stableswap pool, resulting in a direct loss of user funds. This breach was a result of a critical logic vulnerability within the pool’s custom token minting function, which allowed a malicious actor to create an effectively infinite supply of the yETH token. The attacker subsequently swapped these worthless tokens for real assets, draining the entire pool’s liquidity in a single, atomic transaction. The total quantifiable loss from this sophisticated smart contract exploit is approximately $9 million.

A luminous, translucent blue-grey amorphous structure elegantly envelops a vibrant, solid blue sphere, set against a subtle gradient background. The flowing, organic forms create a sense of depth and protection around the central element

Context

The prevailing risk factor for established DeFi protocols is the operational maintenance of legacy smart contracts, which often contain complex, custom logic that predates modern auditing standards. This incident leveraged a known class of vulnerability → the failure to properly decommission or fully secure older contracts that remain integrated into the protocol’s architecture. The complexity of combining liquid staking derivatives (LSTs) with custom swap code also introduced an unmitigated attack surface.

A futuristic, interconnected mechanism floats in a dark, star-speckled expanse, characterized by two large, segmented rings and a central satellite-like module. Intense blue light radiates from the central junction of the rings, illuminating intricate internal components and suggesting active data processing or energy transfer, mirroring the operational dynamics of a Proof-of-Stake PoS consensus algorithm or a Layer 2 scaling solution

Analysis

The attack vector was a precision manipulation exploit rooted in the yETH stableswap pool’s custom logic for calculating the token’s exchange rate or “rate-update” function. The attacker exploited a flaw in the mint function, which did not correctly validate the input or the resulting token supply, enabling the creation of over 235 trillion yETH tokens. By injecting this massive, fraudulently minted supply, the attacker was able to artificially inflate the token’s value within the pool’s internal accounting. This manipulation allowed them to redeem all genuine underlying assets (ETH and LSTs) from the pool in a single, atomic transaction, demonstrating a failure of the contract’s invariant checks to prevent the state change.

A partially opened, textured metallic vault structure showcases an interior teeming with dynamic blue and white cloud-like formations, representing the intricate flow of digital asset liquidity. Prominent metallic elements, including a spherical dial and concentric rings, underscore the robust cryptographic security protocols and underlying blockchain infrastructure

Parameters

  • Total Financial Loss → ~$9 Million USD – The estimated value of assets drained from the affected pools.
  • Vulnerability TypeInfinite Token Minting Flaw – A critical logic error in the legacy yETH contract’s mint function.
  • Stolen Funds Route → ~1,000 ETH to Tornado Cash – The initial amount of the stolen funds routed to a mixer for obfuscation.
  • Affected Component → Legacy yETH Stableswap Pool – The specific, older smart contract isolated from the protocol’s V2/V3 infrastructure.

A detailed view of a complex, multi-layered metallic structure featuring prominent blue translucent elements, partially obscured by swirling white, cloud-like material. A reflective silver sphere is embedded within the intricate framework, suggesting dynamic interaction and movement

Outlook

Immediate mitigation for users involves confirming that their assets are not staked in or approved for interaction with any legacy or unaudited contracts. For the wider ecosystem, this incident mandates an aggressive, systemic review of all non-core, legacy contracts and the immediate implementation of a formal decommissioning or migration plan for all V1/V2 infrastructure. The new security best practice will emphasize the necessity of rigorous, formal verification for any custom stableswap or pricing logic, especially when integrating volatile liquid staking derivatives.

A close-up view shows a grey, structured container partially filled with a vibrant blue liquid, featuring numerous white bubbles and a clear, submerged circular object. The dynamic composition highlights an active process occurring within a contained system

Verdict

This $9 million exploit confirms that the greatest systemic risk in mature DeFi protocols remains the operational security posture around unmigrated, complex legacy contracts.

smart contract exploit, infinite mint vulnerability, DeFi protocol drain, token supply manipulation, liquidity pool attack, legacy contract risk, stableswap pool flaw, on-chain forensic analysis, yield aggregator security, Ethereum LST derivative, pricing manipulation, atomic transaction, code fragility, invariant check failure, fund obfuscation, liquid staking token, multi-chain risk assessment, protocol treasury risk, governance proposal, smart contract auditor, security post-mortem, asset recovery plan, decentralized finance risk, token vault security. Signal Acquired from → banklesstimes.com

Micro Crypto News Feeds

smart contract exploit

Definition ∞ A smart contract exploit is a security vulnerability within a self-executing contract that is intentionally leveraged by malicious actors.

liquid staking derivatives

Definition ∞ Liquid Staking Derivatives (LSDs) are tokenized representations of staked cryptocurrencies, allowing users to retain liquidity while participating in proof-of-stake network validation.

atomic transaction

Definition ∞ An atomic transaction is a sequence of operations that either completely finishes or completely fails, leaving no partial results.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

stolen funds

Definition ∞ Stolen funds represent digital assets that have been unlawfully acquired from their rightful owners.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

staking derivatives

Definition ∞ Staking derivatives are liquid tokens that represent staked assets on a proof-of-stake blockchain, allowing users to maintain liquidity while earning staking rewards.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

Tags:

Tags: