Security

Yearn Finance yETH Pool Drained Exploiting Custom Stableswap Minting Flaw

A critical logic flaw in a custom stableswap implementation enabled an attacker to mint near-infinite yETH, creating an immediate, catastrophic liquidity drain.
December 5, 20253 min

A detailed view reveals a dynamic interplay of translucent, deep blue, viscous material forming wave-like structures over a dark, linear grid. Centrally, a textured white sphere is securely held and partially submerged by this blue substance
A pristine white sphere, its lower half transitioning into a vibrant blue gradient, rests centrally amidst a formation of granular white and blue material, accompanied by a large translucent blue crystal shard. This entire arrangement floats on a dark, rippled water surface, creating a serene yet dynamic visual

Briefing

The Yearn Finance protocol suffered a significant security incident on November 30, 2025, resulting in a loss of approximately $9 million from a specific yETH stableswap pool. This exploit immediately depegged the pool and represents a direct capital loss for users who provided liquidity to the affected contract. The core attack vector was a critical logic vulnerability in a custom stableswap implementation that allowed the attacker to mint a near-infinite quantity of yETH tokens, thereby draining the entire pool’s underlying assets in a single transaction.

A translucent, irregularly shaped object, covered in numerous water droplets, reveals a deep blue interior and a smooth, light-colored central opening. The object's surface exhibits a textured, almost frosted appearance due to the condensation, contrasting with the vibrant, uniform blue within

Context

The DeFi ecosystem operates with a persistent, elevated risk from custom-built smart contract logic, especially in forks of popular codebases that lack independent, rigorous formal verification. Prior to this event, the Yearn team had emphasized that the contract was a “custom version” of stableswap code, which, by definition, introduced a unique and unaudited attack surface distinct from their core V2/V3 vaults. This incident leverages the known systemic risk of proprietary, non-standard contract implementations within a high-value liquidity environment.

A brilliant blue, perfectly spherical digital asset token is cradled within a dynamic, translucent water splash, set upon an advanced technological base. The intricate design features dark blue and metallic silver components, suggesting a robust computational infrastructure

Analysis

The compromise targeted a specific, custom stableswap contract used for the yETH product, not the protocol’s main vaults. The attacker exploited a flaw in the contract’s internal accounting or minting function, which failed to properly validate or cap the number of yETH tokens that could be created in exchange for the underlying assets. By triggering this logic error, the attacker effectively fabricated an enormous supply of yETH, which was then immediately redeemed for the pool’s legitimate collateral (ETH and WETH), achieving a total capital drain of approximately $9 million. This infinite minting vulnerability confirms the exploit’s root cause as a critical arithmetic or state-change error in the contract’s core logic.

A clear cubic structure sits atop a detailed circuit board illuminated with blue patterns. This juxtaposition highlights the critical intersection of quantum cryptography and blockchain technology

Parameters

  • Total Funds Lost → $9 Million – The estimated total capital drained from the affected yETH stableswap pools.
  • Attack Vector → Infinite Token Minting – The specific smart contract logic flaw that allowed the attacker to fabricate assets.
  • Affected Contract Type → Custom Stableswap Pool – The specific, non-standard contract implementation that contained the vulnerability.
  • Initial Fund Movement → Tornado Cash – The primary crypto mixer used by the attacker to launder a portion of the stolen funds.

A vibrant blue, porous, organic-like structure, resembling a sponge or cellular network, dominates the frame, with a sophisticated metallic component embedded within it. This metallic element is circular, multi-layered, featuring a central lens and an intricately segmented outer ring, encircled by a thin transparent ring

Outlook

Immediate user mitigation requires all liquidity providers to the affected yETH stableswap pools to withdraw any remaining capital and revoke token approvals to the compromised contract address. The industry must now enforce stricter auditing standards for all custom or forked stableswap implementations, particularly those handling synthetic or wrapped assets, to prevent similar arithmetic and state-change vulnerabilities. This event serves as a clear warning that even minor deviations from battle-tested code can introduce catastrophic, nine-figure risk to a protocol’s security posture.

A close-up view reveals a futuristic, translucent blue device with internal glowing circuit patterns. A prominent metallic, concentric circular component is centered, suggesting a high-tech sensor or connection point

Verdict

This infinite minting exploit of a custom stableswap contract is a definitive case study demonstrating that bespoke DeFi logic is a primary attack surface for sophisticated, capital-draining vulnerabilities.

Smart contract vulnerability, Infinite mint exploit, DeFi logic flaw, Stableswap pool drain, Token minting error, Liquidity pool compromise, Custom code audit, On-chain forensic, Asset recovery, Token price manipulation, Ethereum blockchain risk, Protocol security posture, Financial system integrity, Decentralized finance, Systemic contagion risk, Tokenized assets, Yield farming security, Governance vote risk Signal Acquired from → forklog.com

Micro Crypto News Feeds

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

smart contract logic

Definition ∞ Smart contract logic refers to the predefined, self-executing code embedded within a smart contract that dictates its behavior and conditions for execution.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

capital

Definition ∞ Capital refers to financial resources deployed for investment, operational expenditure, or the facilitation of economic activity within the digital asset sector.

contract logic

Definition ∞ Contract Logic refers to the set of predefined rules, conditions, and instructions embedded within a smart contract that govern its execution and state changes.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

attack surface

Definition ∞ An attack surface represents the sum of all possible points where an unauthorized user can attempt to access or extract data from a system.

Tags:

Tags: