Security

Yearn Finance StableSwap Pool Drained by Infinite Token Minting Flaw

Unchecked arithmetic in a custom yETH contract enabled a token supply inflation attack, leading to a $9 million liquidity drain.
December 3, 20253 min

A central transparent sphere containing a metallic, rectangular object suspended in blue liquid with bubbles is depicted. This sphere is surrounded by complex, angular silver and blue technological components
A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Briefing

The Yearn Finance yETH StableSwap pool was compromised via a critical arithmetic flaw in a custom token contract, resulting in a loss of approximately $9 million in liquid staking tokens. This attack leveraged an unchecked calculation bug to mint an astronomical number of yETH tokens, thereby manipulating the token’s share price and draining the pool’s underlying assets. The immediate consequence is a significant capital loss for users of the affected pool, with the total financial impact quantified at $9 million, of which $2.4 million has been recovered.

A dark blue, spherical digital asset is partially enveloped by a translucent, light blue, flowing material. This enveloping layer is speckled with numerous tiny white particles, creating a dynamic, abstract composition against a soft grey background

Context

The prevailing security posture for complex DeFi protocols, even those with multiple audits, includes an inherent risk from custom-coded components. This incident specifically leveraged a class of vulnerability → arithmetic errors in token accounting logic → that is often missed by standard security reviews focused on known attack patterns like reentrancy. The reliance on custom StableSwap pool logic, rather than fully battle-tested, standard components, created a novel and exploitable attack surface.

A blue and black mechanical device, possibly a computing component, is shown in a close-up, surrounded by a dynamic, translucent blue liquid. The device has a central circular element, layered structures, and fin-like vents, while the liquid exhibits splashes and droplets

Analysis

The attacker executed the exploit by targeting an unchecked arithmetic function within the yETH token’s custom contract. This specific bug allowed the attacker to bypass normal supply constraints and mint an effectively infinite amount of the yETH receipt token. With the massively inflated token supply, the attacker was able to exchange the worthless, newly-minted tokens for a disproportionate amount of the underlying, valuable liquid staking tokens held in the StableSwap pool. This exchange successfully drained the pool’s liquidity before the protocol’s automated systems could halt the transaction.

A pristine white sphere, its lower half transitioning into a vibrant blue gradient, rests centrally amidst a formation of granular white and blue material, accompanied by a large translucent blue crystal shard. This entire arrangement floats on a dark, rippled water surface, creating a serene yet dynamic visual

Parameters

  • Total Loss → $9 Million – The estimated total value of liquid staking tokens and ETH drained from the StableSwap pool.
  • Vulnerability Type → Unchecked Arithmetic Flaw – The specific code error that enabled the infinite token minting exploit.
  • Recovered Funds → $2.4 Million – The amount of stolen assets successfully recovered through coordinated efforts with DeFi partners.
  • Affected Asset → yETH Token – The receipt token whose custom contract logic contained the exploitable minting bug.

A snow-covered mass, resembling an iceberg, floats in serene blue water, hosting a textured white sphere and interacting with a metallic, faceted object. From this interaction, a vivid blue liquid cascades into the water, creating white splashes

Outlook

Immediate mitigation for users of similar protocols requires the temporary pausing of deposits and withdrawals on any custom, unaudited, or newly deployed token contracts. The second-order effect is a heightened scrutiny on all custom arithmetic logic within DeFi protocols, particularly those involving share price calculation and token minting, which will likely establish a new, stricter standard for formal verification of token contract mathematics. Protocols must now prioritize immutable, battle-tested library functions over custom code for core financial operations to mitigate contagion risk.

A prominent white, smooth, toroidal structure centrally frames a vibrant dark blue, translucent, amorphous mass. From the right side, this blue substance dynamically fragments into numerous smaller, crystalline particles, scattering outwards against a soft grey-blue background

Verdict

This breach confirms that custom arithmetic logic remains a critical, high-impact zero-day vector, demonstrating that even veteran protocols are not immune to fundamental smart contract design flaws.

smart contract vulnerability, arithmetic logic error, token supply inflation, decentralized finance exploit, liquidity pool drain, custom contract risk, unchecked calculations, DeFi security failure, asset manipulation, stable swap pool, on-chain forensics, protocol security, token minting flaw, code audit gap, liquid staking tokens, yield aggregator risk, digital asset theft, smart contract audit, security posture, risk mitigation Signal Acquired from → unchainedcrypto.com

Micro Crypto News Feeds

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

amount

Definition ∞ Amount signifies a quantified measure of value, volume, or quantity, typically referring to digital assets or fiat currency within transactions.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: