Security

Yearn Finance yETH Pool Drained Exploiting Custom Stableswap Minting Flaw

A critical logic flaw in a custom stableswap implementation enabled an attacker to mint near-infinite yETH, creating an immediate, catastrophic liquidity drain.
December 5, 20253 min

The image displays an abstract composition featuring textured blue and white cloud-like forms, transparent geometric objects, and a detailed moon-like sphere. These elements float within a digital-looking environment, creating a sense of depth and complexity
The image features a close-up of a smooth, bright blue sphere contained within a clear, reflective, intricate lattice structure. The transparent outer shell is composed of numerous interconnected circular openings, creating a complex, cage-like form

Briefing

The Yearn Finance protocol suffered a significant security incident on November 30, 2025, resulting in a loss of approximately $9 million from a specific yETH stableswap pool. This exploit immediately depegged the pool and represents a direct capital loss for users who provided liquidity to the affected contract. The core attack vector was a critical logic vulnerability in a custom stableswap implementation that allowed the attacker to mint a near-infinite quantity of yETH tokens, thereby draining the entire pool’s underlying assets in a single transaction.

A translucent, irregularly shaped object, covered in numerous water droplets, reveals a deep blue interior and a smooth, light-colored central opening. The object's surface exhibits a textured, almost frosted appearance due to the condensation, contrasting with the vibrant, uniform blue within

Context

The DeFi ecosystem operates with a persistent, elevated risk from custom-built smart contract logic, especially in forks of popular codebases that lack independent, rigorous formal verification. Prior to this event, the Yearn team had emphasized that the contract was a “custom version” of stableswap code, which, by definition, introduced a unique and unaudited attack surface distinct from their core V2/V3 vaults. This incident leverages the known systemic risk of proprietary, non-standard contract implementations within a high-value liquidity environment.

A detailed close-up reveals a futuristic, mechanical object with a central white circular hub featuring a dark, reflective spherical lens. Numerous blue, faceted, blade-like structures radiate outwards from this central hub, creating a complex, symmetrical pattern against a soft grey background

Analysis

The compromise targeted a specific, custom stableswap contract used for the yETH product, not the protocol’s main vaults. The attacker exploited a flaw in the contract’s internal accounting or minting function, which failed to properly validate or cap the number of yETH tokens that could be created in exchange for the underlying assets. By triggering this logic error, the attacker effectively fabricated an enormous supply of yETH, which was then immediately redeemed for the pool’s legitimate collateral (ETH and WETH), achieving a total capital drain of approximately $9 million. This infinite minting vulnerability confirms the exploit’s root cause as a critical arithmetic or state-change error in the contract’s core logic.

A vibrant, faceted blue crystalline structure, appearing like a solidified, flowing substance, rests upon a brushed metallic surface. The blue entity exhibits numerous reflective facets, while the metal features fine horizontal lines and a visible screw head

Parameters

  • Total Funds Lost → $9 Million – The estimated total capital drained from the affected yETH stableswap pools.
  • Attack Vector → Infinite Token Minting – The specific smart contract logic flaw that allowed the attacker to fabricate assets.
  • Affected Contract Type → Custom Stableswap Pool – The specific, non-standard contract implementation that contained the vulnerability.
  • Initial Fund Movement → Tornado Cash – The primary crypto mixer used by the attacker to launder a portion of the stolen funds.

The image displays a close-up of an intricate, starburst-like crystalline formation composed of deep blue, highly reflective facets and frosted white, granular elements. These elements radiate outwards from a densely textured central point, creating a complex, three-dimensional structure against a soft grey background

Outlook

Immediate user mitigation requires all liquidity providers to the affected yETH stableswap pools to withdraw any remaining capital and revoke token approvals to the compromised contract address. The industry must now enforce stricter auditing standards for all custom or forked stableswap implementations, particularly those handling synthetic or wrapped assets, to prevent similar arithmetic and state-change vulnerabilities. This event serves as a clear warning that even minor deviations from battle-tested code can introduce catastrophic, nine-figure risk to a protocol’s security posture.

A detailed view presents a sharp diagonal divide, separating a structured, white and light grey modular interface from a vibrant, dark blue liquid field filled with effervescent bubbles. A central, dark metallic conduit acts as a critical link between these two distinct environments, suggesting a sophisticated processing unit

Verdict

This infinite minting exploit of a custom stableswap contract is a definitive case study demonstrating that bespoke DeFi logic is a primary attack surface for sophisticated, capital-draining vulnerabilities.

Smart contract vulnerability, Infinite mint exploit, DeFi logic flaw, Stableswap pool drain, Token minting error, Liquidity pool compromise, Custom code audit, On-chain forensic, Asset recovery, Token price manipulation, Ethereum blockchain risk, Protocol security posture, Financial system integrity, Decentralized finance, Systemic contagion risk, Tokenized assets, Yield farming security, Governance vote risk Signal Acquired from → forklog.com

Micro Crypto News Feeds

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

smart contract logic

Definition ∞ Smart contract logic refers to the predefined, self-executing code embedded within a smart contract that dictates its behavior and conditions for execution.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

capital

Definition ∞ Capital refers to financial resources deployed for investment, operational expenditure, or the facilitation of economic activity within the digital asset sector.

contract logic

Definition ∞ Contract Logic refers to the set of predefined rules, conditions, and instructions embedded within a smart contract that govern its execution and state changes.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

attack surface

Definition ∞ An attack surface represents the sum of all possible points where an unauthorized user can attempt to access or extract data from a system.

Tags:

Tags: