Security

Yearn Finance StableSwap Pool Drained by Infinite Token Minting Flaw

Unchecked arithmetic in a custom yETH contract enabled a token supply inflation attack, leading to a $9 million liquidity drain.
December 3, 20253 min

Abstract, flowing forms in translucent white and vibrant deep blue dominate the frame, set against a dark, gradient background. The composition features smooth, overlapping layers that create a sense of depth and continuous movement, with light reflecting off the polished surfaces
A close-up view shows a grey, structured container partially filled with a vibrant blue liquid, featuring numerous white bubbles and a clear, submerged circular object. The dynamic composition highlights an active process occurring within a contained system

Briefing

The Yearn Finance yETH StableSwap pool was compromised via a critical arithmetic flaw in a custom token contract, resulting in a loss of approximately $9 million in liquid staking tokens. This attack leveraged an unchecked calculation bug to mint an astronomical number of yETH tokens, thereby manipulating the token’s share price and draining the pool’s underlying assets. The immediate consequence is a significant capital loss for users of the affected pool, with the total financial impact quantified at $9 million, of which $2.4 million has been recovered.

A close-up view presents a futuristic blue and silver device, featuring a prominent clear, faceted crystalline object surrounded by numerous small bubbles, set within an intricate metallic framework. The detailed composition highlights textured surfaces and reflective elements, conveying a sense of advanced technology

Context

The prevailing security posture for complex DeFi protocols, even those with multiple audits, includes an inherent risk from custom-coded components. This incident specifically leveraged a class of vulnerability → arithmetic errors in token accounting logic → that is often missed by standard security reviews focused on known attack patterns like reentrancy. The reliance on custom StableSwap pool logic, rather than fully battle-tested, standard components, created a novel and exploitable attack surface.

A white, segmented, spherical object with a metallic component is partially submerged in dark water. Blue, crystalline fragments emanate from the object, interacting with the water's surface

Analysis

The attacker executed the exploit by targeting an unchecked arithmetic function within the yETH token’s custom contract. This specific bug allowed the attacker to bypass normal supply constraints and mint an effectively infinite amount of the yETH receipt token. With the massively inflated token supply, the attacker was able to exchange the worthless, newly-minted tokens for a disproportionate amount of the underlying, valuable liquid staking tokens held in the StableSwap pool. This exchange successfully drained the pool’s liquidity before the protocol’s automated systems could halt the transaction.

A close-up view reveals a transparent, multi-chambered mechanism containing distinct white granular material actively moving over a textured blue base. The white substance appears agitated and flowing, guided by the clear structural elements, with a circular metallic component visible within the blue substrate

Parameters

  • Total Loss → $9 Million – The estimated total value of liquid staking tokens and ETH drained from the StableSwap pool.
  • Vulnerability Type → Unchecked Arithmetic Flaw – The specific code error that enabled the infinite token minting exploit.
  • Recovered Funds → $2.4 Million – The amount of stolen assets successfully recovered through coordinated efforts with DeFi partners.
  • Affected Asset → yETH Token – The receipt token whose custom contract logic contained the exploitable minting bug.

A detailed view of a complex, multi-layered metallic structure featuring prominent blue translucent elements, partially obscured by swirling white, cloud-like material. A reflective silver sphere is embedded within the intricate framework, suggesting dynamic interaction and movement

Outlook

Immediate mitigation for users of similar protocols requires the temporary pausing of deposits and withdrawals on any custom, unaudited, or newly deployed token contracts. The second-order effect is a heightened scrutiny on all custom arithmetic logic within DeFi protocols, particularly those involving share price calculation and token minting, which will likely establish a new, stricter standard for formal verification of token contract mathematics. Protocols must now prioritize immutable, battle-tested library functions over custom code for core financial operations to mitigate contagion risk.

A sharp, metallic, silver-grey structure, partially covered in white snow, emerges from a vibrant blue, textured mass, itself snow-dusted and resting in calm, rippling water. Another smaller, similar blue and white formation is visible to the left, all set against a soft, cloudy sky

Verdict

This breach confirms that custom arithmetic logic remains a critical, high-impact zero-day vector, demonstrating that even veteran protocols are not immune to fundamental smart contract design flaws.

smart contract vulnerability, arithmetic logic error, token supply inflation, decentralized finance exploit, liquidity pool drain, custom contract risk, unchecked calculations, DeFi security failure, asset manipulation, stable swap pool, on-chain forensics, protocol security, token minting flaw, code audit gap, liquid staking tokens, yield aggregator risk, digital asset theft, smart contract audit, security posture, risk mitigation Signal Acquired from → unchainedcrypto.com

Micro Crypto News Feeds

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

amount

Definition ∞ Amount signifies a quantified measure of value, volume, or quantity, typically referring to digital assets or fiat currency within transactions.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: