Security

Yearn Finance yETH Pool Drained Exploiting Custom Stableswap Minting Flaw

A critical logic flaw in a custom stableswap implementation enabled an attacker to mint near-infinite yETH, creating an immediate, catastrophic liquidity drain.
December 5, 20253 min

A clear cubic structure sits atop a detailed circuit board illuminated with blue patterns. This juxtaposition highlights the critical intersection of quantum cryptography and blockchain technology
A transparent, multi-faceted crystal is suspended near dark, angular structures adorned with glowing blue circuit board tracings. This abstract composition visually articulates the foundational elements of blockchain technology and digital asset security

Briefing

The Yearn Finance protocol suffered a significant security incident on November 30, 2025, resulting in a loss of approximately $9 million from a specific yETH stableswap pool. This exploit immediately depegged the pool and represents a direct capital loss for users who provided liquidity to the affected contract. The core attack vector was a critical logic vulnerability in a custom stableswap implementation that allowed the attacker to mint a near-infinite quantity of yETH tokens, thereby draining the entire pool’s underlying assets in a single transaction.

The image presents a close-up view of two abstract, smooth forms. A translucent, deep blue element, covered in small water droplets, gently rests against a soft, light grey, subtly contoured background

Context

The DeFi ecosystem operates with a persistent, elevated risk from custom-built smart contract logic, especially in forks of popular codebases that lack independent, rigorous formal verification. Prior to this event, the Yearn team had emphasized that the contract was a “custom version” of stableswap code, which, by definition, introduced a unique and unaudited attack surface distinct from their core V2/V3 vaults. This incident leverages the known systemic risk of proprietary, non-standard contract implementations within a high-value liquidity environment.

A prominent textured sphere, resembling a moon, is securely nestled within a sophisticated metallic blue and silver geometric structure. This intricate assembly is partially covered with white frosty particles, creating a visual metaphor for robust digital asset security

Analysis

The compromise targeted a specific, custom stableswap contract used for the yETH product, not the protocol’s main vaults. The attacker exploited a flaw in the contract’s internal accounting or minting function, which failed to properly validate or cap the number of yETH tokens that could be created in exchange for the underlying assets. By triggering this logic error, the attacker effectively fabricated an enormous supply of yETH, which was then immediately redeemed for the pool’s legitimate collateral (ETH and WETH), achieving a total capital drain of approximately $9 million. This infinite minting vulnerability confirms the exploit’s root cause as a critical arithmetic or state-change error in the contract’s core logic.

A complex, metallic X-shaped structure, featuring intricate geometric patterns in silver and dark blue, is depicted partially submerged in a frothy, light blue, cavernous substance. The robust mechanism appears to be either emerging from or interacting with the dynamic blue medium, set against a plain grey background, showcasing detailed surfaces and internal components

Parameters

  • Total Funds Lost → $9 Million – The estimated total capital drained from the affected yETH stableswap pools.
  • Attack Vector → Infinite Token Minting – The specific smart contract logic flaw that allowed the attacker to fabricate assets.
  • Affected Contract Type → Custom Stableswap Pool – The specific, non-standard contract implementation that contained the vulnerability.
  • Initial Fund Movement → Tornado Cash – The primary crypto mixer used by the attacker to launder a portion of the stolen funds.

Abstract, sleek white and transparent metallic structures dynamically interact with a vibrant blue granular substrate, creating a splash effect and reflecting on a rippled, deep blue liquid surface. The background features a subtle mist, enhancing the futuristic and impactful scene

Outlook

Immediate user mitigation requires all liquidity providers to the affected yETH stableswap pools to withdraw any remaining capital and revoke token approvals to the compromised contract address. The industry must now enforce stricter auditing standards for all custom or forked stableswap implementations, particularly those handling synthetic or wrapped assets, to prevent similar arithmetic and state-change vulnerabilities. This event serves as a clear warning that even minor deviations from battle-tested code can introduce catastrophic, nine-figure risk to a protocol’s security posture.

The image features a close-up of abstract, highly reflective metallic components in silver and blue. Smooth, rounded chrome elements interlock with matte blue surfaces, creating a complex, futuristic design

Verdict

This infinite minting exploit of a custom stableswap contract is a definitive case study demonstrating that bespoke DeFi logic is a primary attack surface for sophisticated, capital-draining vulnerabilities.

Smart contract vulnerability, Infinite mint exploit, DeFi logic flaw, Stableswap pool drain, Token minting error, Liquidity pool compromise, Custom code audit, On-chain forensic, Asset recovery, Token price manipulation, Ethereum blockchain risk, Protocol security posture, Financial system integrity, Decentralized finance, Systemic contagion risk, Tokenized assets, Yield farming security, Governance vote risk Signal Acquired from → forklog.com

Micro Crypto News Feeds

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

smart contract logic

Definition ∞ Smart contract logic refers to the predefined, self-executing code embedded within a smart contract that dictates its behavior and conditions for execution.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

capital

Definition ∞ Capital refers to financial resources deployed for investment, operational expenditure, or the facilitation of economic activity within the digital asset sector.

contract logic

Definition ∞ Contract Logic refers to the set of predefined rules, conditions, and instructions embedded within a smart contract that govern its execution and state changes.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

attack surface

Definition ∞ An attack surface represents the sum of all possible points where an unauthorized user can attempt to access or extract data from a system.

Tags:

Tags: