Yearn Legacy Pool Drained by Infinite Token Minting Logic Flaw → Security

A polished silver toroidal structure rests alongside a sculpted, translucent sapphire-blue form, revealing an intricate mechanical watch movement. The objects are presented on a minimalist light grey background, highlighting their forms and internal details

A striking abstract composition features a luminous, translucent blue mass, appearing fluid and organic, intricately contained within a complex web of silver-grey metallic wires. The background is a soft, neutral grey, highlighting the central object's vibrant blue and metallic sheen

Briefing

The Yearn Finance legacy yETH product suffered a severe economic exploit stemming from a critical flaw within its custom stableswap pool contract. This logic error enabled a threat actor to bypass standard controls, effectively minting a near-infinite supply of unauthorized yETH tokens to manipulate the pool’s internal state. The immediate consequence was the total depletion of the pool’s liquidity, resulting in a confirmed loss of approximately $9 million in various staked ETH derivatives. This attack demonstrates that even isolated, deprecated components can pose an existential threat to a protocol’s total value locked.

The image displays a finely detailed metallic component, possibly a gear or a critical cryptographic primitive, centrally positioned and in sharp focus. This mechanism is partially encased by a flowing, translucent light blue substance, which forms organic, wave-like structures around it, receding into a softer blur in the background

Context

The incident leveraged the inherent risk associated with maintaining complex, custom-built contracts that are no longer actively maintained or integrated into the protocol’s primary security architecture. Despite the protocol’s shift to newer, more audited V3 vaults, the presence of the legacy yETH product created a significant, known attack surface that persisted on the Ethereum mainnet. This class of vulnerability is a direct consequence of decentralized protocols failing to fully decommission deprecated code.

$A brilliant, multi-faceted diamond, exhibiting prismatic light refractions, is held within a minimalist, white, circular apparatus with metallic joint accents. Behind this central element, a complex, crystalline formation displays intense shades of blue and indigo, suggesting a network or a foundational structure$

Analysis

The exploit targeted a specific flaw in the custom stableswap pool’s internal accounting or mint function logic. By exploiting this vulnerability, the attacker was able to call the minting function under specific conditions that erroneously calculated the output, allowing the creation of an excessive amount of yETH for a minimal input. This newly minted, hyper-inflated supply of yETH was then used to drain the underlying real assets → including wstETH and rETH → from the liquidity pool in a single, atomic transaction. The success of the attack was predicated on the contract’s inability to correctly validate the value of the minted tokens against the deposited collateral.

A sophisticated, silver-grey hardware device with dark trim is presented from an elevated perspective, showcasing its transparent top panel. Within this panel, two prominent, icy blue, crystalline formations are visible, appearing to encase internal components

Parameters

Total Loss Valuation → $9 Million (The confirmed total funds drained from the affected liquidity pools.)
Exploit Vector → Infinite Token Minting Logic Flaw (The specific, code-level vulnerability that enabled the attack.)
Laundered Funds → ~1,000 ETH (The amount of stolen assets immediately moved to the Tornado Cash mixer.)
Affected Product → Legacy yETH Stableswap Pool (The single, isolated contract that contained the vulnerability.)

A detailed close-up reveals a futuristic, mechanical object with a central white circular hub featuring a dark, reflective spherical lens. Numerous blue, faceted, blade-like structures radiate outwards from this central hub, creating a complex, symmetrical pattern against a soft grey background

Outlook

Immediate user mitigation requires confirming that all assets are held in the protocol’s actively managed V3 vaults, as the vulnerability is isolated. The incident reinforces the systemic contagion risk posed by deprecated, unaudited, or custom stableswap logic across the DeFi landscape, necessitating a sector-wide review of legacy contracts. This event will likely establish a new security best practice mandating formal, on-chain decommissioning of all retired smart contracts to eliminate persistent attack surfaces.

A white, textured sphere is positioned on a reflective surface, with metallic rods extending behind it towards a circular, metallic structure. Intertwined with the rods and within a translucent, scoop-like container, a mix of white and blue granular material appears to flow

Verdict

This exploit confirms that legacy smart contract logic, even when isolated from core systems, represents an unacceptable and high-value systemic risk to the digital asset ecosystem.

infinite mint vulnerability, stableswap pool exploit, smart contract logic, defi security breach, token minting flaw, liquidity pool drain, on-chain forensics, reimbursement proposal, legacy contract risk, asset management protocol, decentralized finance, governance vote, token price impact, ethereum blockchain, asset recovery plan, protocol vulnerability, access control failure, pool depletion event, staked eth derivative, multi-asset pool Signal Acquired from → forklog.com