Security

Yearn Finance StableSwap Pool Drained by Infinite Token Minting Flaw

Unchecked arithmetic in a custom yETH contract enabled a token supply inflation attack, leading to a $9 million liquidity drain.
December 3, 20253 min

A close-up view showcases a futuristic, metallic device with blue glowing elements, partially encased in a translucent, blue, gel-like substance. The device features intricate internal components, including what appear to be gears and circuits, suggesting advanced mechanical and digital functionality
A surreal digital artwork features a textured white vessel, resembling a snow-covered basin, partially submerged in rippling dark blue water. Within this structure, a prominent blue crystalline object, surrounded by smaller sparkling blue fragments, creates dynamic splashes, suggesting motion and energy

Briefing

The Yearn Finance yETH StableSwap pool was compromised via a critical arithmetic flaw in a custom token contract, resulting in a loss of approximately $9 million in liquid staking tokens. This attack leveraged an unchecked calculation bug to mint an astronomical number of yETH tokens, thereby manipulating the token’s share price and draining the pool’s underlying assets. The immediate consequence is a significant capital loss for users of the affected pool, with the total financial impact quantified at $9 million, of which $2.4 million has been recovered.

The image displays a close-up, high-fidelity rendering of an intricate mechanical or digital component. It features concentric layers of white and blue textured materials surrounding a central array of radiating white bristles, all encased within metallic and white structural elements

Context

The prevailing security posture for complex DeFi protocols, even those with multiple audits, includes an inherent risk from custom-coded components. This incident specifically leveraged a class of vulnerability → arithmetic errors in token accounting logic → that is often missed by standard security reviews focused on known attack patterns like reentrancy. The reliance on custom StableSwap pool logic, rather than fully battle-tested, standard components, created a novel and exploitable attack surface.

A futuristic metallic device, possibly a satellite or specialized node, is partially submerged in a calm body of water. From its lower section, a vigorous stream of bright blue liquid, intermingled with white foam, forcefully ejects, creating dynamic ripples and splashes on the water's surface

Analysis

The attacker executed the exploit by targeting an unchecked arithmetic function within the yETH token’s custom contract. This specific bug allowed the attacker to bypass normal supply constraints and mint an effectively infinite amount of the yETH receipt token. With the massively inflated token supply, the attacker was able to exchange the worthless, newly-minted tokens for a disproportionate amount of the underlying, valuable liquid staking tokens held in the StableSwap pool. This exchange successfully drained the pool’s liquidity before the protocol’s automated systems could halt the transaction.

Angular, reflective metallic structures resembling advanced computing hardware interlock with vibrant blue crystalline formations encrusted with a white, frosty substance. A luminous, textured sphere, evocative of a moon, floats centrally amidst these elements

Parameters

  • Total Loss → $9 Million – The estimated total value of liquid staking tokens and ETH drained from the StableSwap pool.
  • Vulnerability Type → Unchecked Arithmetic Flaw – The specific code error that enabled the infinite token minting exploit.
  • Recovered Funds → $2.4 Million – The amount of stolen assets successfully recovered through coordinated efforts with DeFi partners.
  • Affected Asset → yETH Token – The receipt token whose custom contract logic contained the exploitable minting bug.

A sleek, metallic component with a hexagonal opening is enveloped by a translucent, vibrant blue structure that appears to flow and twist around its core. The object rests on a smooth, light grey surface, highlighting its intricate design and reflective properties

Outlook

Immediate mitigation for users of similar protocols requires the temporary pausing of deposits and withdrawals on any custom, unaudited, or newly deployed token contracts. The second-order effect is a heightened scrutiny on all custom arithmetic logic within DeFi protocols, particularly those involving share price calculation and token minting, which will likely establish a new, stricter standard for formal verification of token contract mathematics. Protocols must now prioritize immutable, battle-tested library functions over custom code for core financial operations to mitigate contagion risk.

A white, cylindrical, futuristic object, resembling a rocket or data capsule, is partially submerged in blue water. The water surface around the object is agitated with ripples and white foam, while glowing blue circuit board-like patterns are visible beneath the clear blue water

Verdict

This breach confirms that custom arithmetic logic remains a critical, high-impact zero-day vector, demonstrating that even veteran protocols are not immune to fundamental smart contract design flaws.

smart contract vulnerability, arithmetic logic error, token supply inflation, decentralized finance exploit, liquidity pool drain, custom contract risk, unchecked calculations, DeFi security failure, asset manipulation, stable swap pool, on-chain forensics, protocol security, token minting flaw, code audit gap, liquid staking tokens, yield aggregator risk, digital asset theft, smart contract audit, security posture, risk mitigation Signal Acquired from → unchainedcrypto.com

Micro Crypto News Feeds

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

amount

Definition ∞ Amount signifies a quantified measure of value, volume, or quantity, typically referring to digital assets or fiat currency within transactions.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: