Security

Yearn Finance yETH Pool Drained Exploiting Custom Stableswap Minting Flaw

A critical logic flaw in a custom stableswap implementation enabled an attacker to mint near-infinite yETH, creating an immediate, catastrophic liquidity drain.
December 5, 20253 min

The image displays a detailed, close-up perspective of numerous blue electronic modules and an extensive network of connecting wires and cables. These metallic components, varying in size and configuration, are densely packed, creating an impression of intricate digital machinery against a soft, blurred background
The image displays a detailed, macro view of an intricate structure formed by countless small, blue and metallic-silver components. These elements, reminiscent of circuit board parts or microchips, are densely packed and interconnected, creating a complex, textured surface with a central focal point

Briefing

The Yearn Finance protocol suffered a significant security incident on November 30, 2025, resulting in a loss of approximately $9 million from a specific yETH stableswap pool. This exploit immediately depegged the pool and represents a direct capital loss for users who provided liquidity to the affected contract. The core attack vector was a critical logic vulnerability in a custom stableswap implementation that allowed the attacker to mint a near-infinite quantity of yETH tokens, thereby draining the entire pool’s underlying assets in a single transaction.

A high-resolution image captures a complex metallic mechanism featuring a glowing blue spherical core, partially submerged in a field of transparent bubbles. The intricate silver-toned components are illuminated by the internal blue light, creating a futuristic and dynamic scene

Context

The DeFi ecosystem operates with a persistent, elevated risk from custom-built smart contract logic, especially in forks of popular codebases that lack independent, rigorous formal verification. Prior to this event, the Yearn team had emphasized that the contract was a “custom version” of stableswap code, which, by definition, introduced a unique and unaudited attack surface distinct from their core V2/V3 vaults. This incident leverages the known systemic risk of proprietary, non-standard contract implementations within a high-value liquidity environment.

The image displays a close-up of interconnected blue and silver metallic components, featuring hexagonal and cylindrical shapes arranged in a precise, angular configuration. These elements suggest a sophisticated mechanical or digital system, with varying textures and depths creating a sense of intricate engineering

Analysis

The compromise targeted a specific, custom stableswap contract used for the yETH product, not the protocol’s main vaults. The attacker exploited a flaw in the contract’s internal accounting or minting function, which failed to properly validate or cap the number of yETH tokens that could be created in exchange for the underlying assets. By triggering this logic error, the attacker effectively fabricated an enormous supply of yETH, which was then immediately redeemed for the pool’s legitimate collateral (ETH and WETH), achieving a total capital drain of approximately $9 million. This infinite minting vulnerability confirms the exploit’s root cause as a critical arithmetic or state-change error in the contract’s core logic.

A dark blue, spherical digital asset is partially enveloped by a translucent, light blue, flowing material. This enveloping layer is speckled with numerous tiny white particles, creating a dynamic, abstract composition against a soft grey background

Parameters

  • Total Funds Lost → $9 Million – The estimated total capital drained from the affected yETH stableswap pools.
  • Attack Vector → Infinite Token Minting – The specific smart contract logic flaw that allowed the attacker to fabricate assets.
  • Affected Contract Type → Custom Stableswap Pool – The specific, non-standard contract implementation that contained the vulnerability.
  • Initial Fund Movement → Tornado Cash – The primary crypto mixer used by the attacker to launder a portion of the stolen funds.

A close-up view presents a central metallic component, resembling a power cell or data processing unit, surrounded by an intricate, flowing blue liquid. Four metallic arms extend from this core, acting as conduits for the dynamic liquid, set against a smooth, gradient grey background

Outlook

Immediate user mitigation requires all liquidity providers to the affected yETH stableswap pools to withdraw any remaining capital and revoke token approvals to the compromised contract address. The industry must now enforce stricter auditing standards for all custom or forked stableswap implementations, particularly those handling synthetic or wrapped assets, to prevent similar arithmetic and state-change vulnerabilities. This event serves as a clear warning that even minor deviations from battle-tested code can introduce catastrophic, nine-figure risk to a protocol’s security posture.

A close-up view reveals a multi-faceted, transparent object with sharp geometric edges, encasing a smooth, amorphous blue mass within its core. The interplay of light through the clear material highlights the vibrant blue interior and the intricate structure of the outer shell

Verdict

This infinite minting exploit of a custom stableswap contract is a definitive case study demonstrating that bespoke DeFi logic is a primary attack surface for sophisticated, capital-draining vulnerabilities.

Smart contract vulnerability, Infinite mint exploit, DeFi logic flaw, Stableswap pool drain, Token minting error, Liquidity pool compromise, Custom code audit, On-chain forensic, Asset recovery, Token price manipulation, Ethereum blockchain risk, Protocol security posture, Financial system integrity, Decentralized finance, Systemic contagion risk, Tokenized assets, Yield farming security, Governance vote risk Signal Acquired from → forklog.com

Micro Crypto News Feeds

stableswap pool

Definition ∞ A stableswap pool is a type of liquidity pool in decentralized finance (DeFi) specifically designed to facilitate efficient exchanges between pegged assets, such as stablecoins or wrapped tokens.

smart contract logic

Definition ∞ Smart contract logic refers to the predefined, self-executing code embedded within a smart contract that dictates its behavior and conditions for execution.

infinite minting

Definition ∞ Infinite minting refers to a characteristic of some digital assets or tokens where there is no predetermined upper limit on the total supply that can be created.

capital

Definition ∞ Capital refers to financial resources deployed for investment, operational expenditure, or the facilitation of economic activity within the digital asset sector.

contract logic

Definition ∞ Contract Logic refers to the set of predefined rules, conditions, and instructions embedded within a smart contract that govern its execution and state changes.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

security posture

Definition ∞ A security posture describes the overall state of an organization's cybersecurity defenses and its readiness to counter threats.

attack surface

Definition ∞ An attack surface represents the sum of all possible points where an unauthorized user can attempt to access or extract data from a system.

Tags:

Tags: