Security

Yearn Finance StableSwap Pool Drained by Infinite Token Minting Flaw

Unchecked arithmetic in a custom yETH contract enabled a token supply inflation attack, leading to a $9 million liquidity drain.
December 3, 20253 min

A pristine white, multi-bladed spherical mechanism is central, actively processing a luminous blue fluid stream. The background reveals blurred, intricate components with blue light accents, suggesting complex machinery
A translucent, irregularly shaped object, covered in numerous water droplets, reveals a deep blue interior and a smooth, light-colored central opening. The object's surface exhibits a textured, almost frosted appearance due to the condensation, contrasting with the vibrant, uniform blue within

Briefing

The Yearn Finance yETH StableSwap pool was compromised via a critical arithmetic flaw in a custom token contract, resulting in a loss of approximately $9 million in liquid staking tokens. This attack leveraged an unchecked calculation bug to mint an astronomical number of yETH tokens, thereby manipulating the token’s share price and draining the pool’s underlying assets. The immediate consequence is a significant capital loss for users of the affected pool, with the total financial impact quantified at $9 million, of which $2.4 million has been recovered.

The image displays a luminous white sphere, partially enveloped by a flowing, transparent blue material, and surrounded by intricate mechanical components. A central dark circle with a bright blue rim is prominent on the sphere's surface

Context

The prevailing security posture for complex DeFi protocols, even those with multiple audits, includes an inherent risk from custom-coded components. This incident specifically leveraged a class of vulnerability → arithmetic errors in token accounting logic → that is often missed by standard security reviews focused on known attack patterns like reentrancy. The reliance on custom StableSwap pool logic, rather than fully battle-tested, standard components, created a novel and exploitable attack surface.

A detailed close-up reveals a transparent, organic structure composed of interconnected bubbles and viscous strands, enveloping a vibrant blue and metallic core. This intricate visual metaphor represents the complex inner workings of advanced cryptocurrency protocols

Analysis

The attacker executed the exploit by targeting an unchecked arithmetic function within the yETH token’s custom contract. This specific bug allowed the attacker to bypass normal supply constraints and mint an effectively infinite amount of the yETH receipt token. With the massively inflated token supply, the attacker was able to exchange the worthless, newly-minted tokens for a disproportionate amount of the underlying, valuable liquid staking tokens held in the StableSwap pool. This exchange successfully drained the pool’s liquidity before the protocol’s automated systems could halt the transaction.

The image features a sophisticated mechanical assembly composed of blue and silver gears, shafts, and rings, intricately intertwined. White granular particles are scattered around and within these components, while a transparent, syringe-like element extends from the left

Parameters

  • Total Loss → $9 Million – The estimated total value of liquid staking tokens and ETH drained from the StableSwap pool.
  • Vulnerability Type → Unchecked Arithmetic Flaw – The specific code error that enabled the infinite token minting exploit.
  • Recovered Funds → $2.4 Million – The amount of stolen assets successfully recovered through coordinated efforts with DeFi partners.
  • Affected Asset → yETH Token – The receipt token whose custom contract logic contained the exploitable minting bug.

A vibrant, multifaceted blue digital asset, reminiscent of a high-value token or a core cryptographic primitive, is seen partially immersed in a bed of white, effervescent foam. Adjacent to it, a sleek metallic device, potentially a hardware wallet or a component of a node, is also touched by the foam

Outlook

Immediate mitigation for users of similar protocols requires the temporary pausing of deposits and withdrawals on any custom, unaudited, or newly deployed token contracts. The second-order effect is a heightened scrutiny on all custom arithmetic logic within DeFi protocols, particularly those involving share price calculation and token minting, which will likely establish a new, stricter standard for formal verification of token contract mathematics. Protocols must now prioritize immutable, battle-tested library functions over custom code for core financial operations to mitigate contagion risk.

A detailed view reveals a dynamic interplay of translucent, deep blue, viscous material forming wave-like structures over a dark, linear grid. Centrally, a textured white sphere is securely held and partially submerged by this blue substance

Verdict

This breach confirms that custom arithmetic logic remains a critical, high-impact zero-day vector, demonstrating that even veteran protocols are not immune to fundamental smart contract design flaws.

smart contract vulnerability, arithmetic logic error, token supply inflation, decentralized finance exploit, liquidity pool drain, custom contract risk, unchecked calculations, DeFi security failure, asset manipulation, stable swap pool, on-chain forensics, protocol security, token minting flaw, code audit gap, liquid staking tokens, yield aggregator risk, digital asset theft, smart contract audit, security posture, risk mitigation Signal Acquired from → unchainedcrypto.com

Micro Crypto News Feeds

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

infinite token minting

Definition ∞ Infinite token minting is a critical vulnerability in a digital asset's smart contract that allows an attacker or unauthorized entity to create an unlimited supply of new tokens.

amount

Definition ∞ Amount signifies a quantified measure of value, volume, or quantity, typically referring to digital assets or fiat currency within transactions.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

defi protocols

Definition ∞ DeFi protocols are decentralized applications that provide financial services without traditional intermediaries.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: