Security

Yearn Finance yETH Pool Drained Exploiting Custom Stableswap Minting Flaw

A critical logic flaw in a custom stableswap implementation enabled an attacker to mint near-infinite yETH, creating an immediate, catastrophic liquidity drain.
December 5, 20253 min

A close-up view presents a central metallic component, resembling a power cell or data processing unit, surrounded by an intricate, flowing blue liquid. Four metallic arms extend from this core, acting as conduits for the dynamic liquid, set against a smooth, gradient grey background
The image displays intricate blue structures densely covered in sharp white crystalline formations, with a transparent cylindrical element partially visible. The blue forms, resembling a spiraled or layered texture, are encrusted with countless individual white crystals, creating a frosty appearance

Briefing

The Yearn Finance protocol suffered a significant security incident on November 30, 2025, resulting in a loss of approximately $9 million from a specific yETH stableswap pool. This exploit immediately depegged the pool and represents a direct capital loss for users who provided liquidity to the affected contract. The core attack vector was a critical logic vulnerability in a custom stableswap implementation that allowed the attacker to mint a near-infinite quantity of yETH tokens, thereby draining the entire pool’s underlying assets in a single transaction.

The image features a close-up of a smooth, bright blue sphere contained within a clear, reflective, intricate lattice structure. The transparent outer shell is composed of numerous interconnected circular openings, creating a complex, cage-like form

Context

The DeFi ecosystem operates with a persistent, elevated risk from custom-built smart contract logic, especially in forks of popular codebases that lack independent, rigorous formal verification. Prior to this event, the Yearn team had emphasized that the contract was a “custom version” of stableswap code, which, by definition, introduced a unique and unaudited attack surface distinct from their core V2/V3 vaults. This incident leverages the known systemic risk of proprietary, non-standard contract implementations within a high-value liquidity environment.

Abstract, sleek white and transparent metallic structures dynamically interact with a vibrant blue granular substrate, creating a splash effect and reflecting on a rippled, deep blue liquid surface. The background features a subtle mist, enhancing the futuristic and impactful scene

Analysis

The compromise targeted a specific, custom stableswap contract used for the yETH product, not the protocol’s main vaults. The attacker exploited a flaw in the contract’s internal accounting or minting function, which failed to properly validate or cap the number of yETH tokens that could be created in exchange for the underlying assets. By triggering this logic error, the attacker effectively fabricated an enormous supply of yETH, which was then immediately redeemed for the pool’s legitimate collateral (ETH and WETH), achieving a total capital drain of approximately $9 million. This infinite minting vulnerability confirms the exploit’s root cause as a critical arithmetic or state-change error in the contract’s core logic.

A dark blue, spherical digital asset is partially enveloped by a translucent, light blue, flowing material. This enveloping layer is speckled with numerous tiny white particles, creating a dynamic, abstract composition against a soft grey background

Parameters

  • Total Funds Lost → $9 Million – The estimated total capital drained from the affected yETH stableswap pools.
  • Attack Vector → Infinite Token Minting – The specific smart contract logic flaw that allowed the attacker to fabricate assets.
  • Affected Contract Type → Custom Stableswap Pool – The specific, non-standard contract implementation that contained the vulnerability.
  • Initial Fund Movement → Tornado Cash – The primary crypto mixer used by the attacker to launder a portion of the stolen funds.

The image displays a close-up of an intricate, starburst-like crystalline formation composed of deep blue, highly reflective facets and frosted white, granular elements. These elements radiate outwards from a densely textured central point, creating a complex, three-dimensional structure against a soft grey background

Outlook

Immediate user mitigation requires all liquidity providers to the affected yETH stableswap pools to withdraw any remaining capital and revoke token approvals to the compromised contract address. The industry must now enforce stricter auditing standards for all custom or forked stableswap implementations, particularly those handling synthetic or wrapped assets, to prevent similar arithmetic and state-change vulnerabilities. This event serves as a clear warning that even minor deviations from battle-tested code can introduce catastrophic, nine-figure risk to a protocol’s security posture.

A close-up view reveals a highly detailed, metallic mechanical component, featuring various shafts and finely machined surfaces, partially submerged within a vibrant, translucent blue material that exhibits a textured, fluid-like appearance with subtle bubbles. The background offers a soft, out-of-focus gradient of blues and grays, emphasizing the intricate foreground subject, suggesting a high-tech operational environment

Verdict

This infinite minting exploit of a custom stableswap contract is a definitive case study demonstrating that bespoke DeFi logic is a primary attack surface for sophisticated, capital-draining vulnerabilities.

Smart contract vulnerability, Infinite mint exploit, DeFi logic flaw, Stableswap pool drain, Token minting error, Liquidity pool compromise, Custom code audit, On-chain forensic, Asset recovery, Token price manipulation, Ethereum blockchain risk, Protocol security posture, Financial system integrity, Decentralized finance, Systemic contagion risk, Tokenized assets, Yield farming security, Governance vote risk Signal Acquired from → forklog.com

Micro Crypto News Feeds

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

smart contract logic

Definition ∞ Smart contract logic refers to the predefined, self-executing code embedded within a smart contract that dictates its behavior and conditions for execution.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

capital

Definition ∞ Capital refers to financial resources deployed for investment, operational expenditure, or the facilitation of economic activity within the digital asset sector.

contract logic

Definition ∞ Contract Logic refers to the set of predefined rules, conditions, and instructions embedded within a smart contract that govern its execution and state changes.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

attack surface

Definition ∞ An attack surface represents the sum of all possible points where an unauthorized user can attempt to access or extract data from a system.

Tags:

Tags: