Security

Yearn Legacy Pool Drained by Infinite Token Minting Logic Flaw

A critical logic flaw in a legacy stableswap contract allowed an attacker to mint unauthorized yETH, compromising $9M in deposited assets.
December 1, 20253 min

The image captures a detailed perspective of a sleek, reflective blue component, showcasing its transparent upper rim filled with a vibrant blue liquid. Numerous small, white bubbles adhere to the inner glass surface and float within the fluid, creating a dynamic visual
A large, textured sphere, resembling a celestial body, partially submerges in dark blue liquid, generating dynamic splashes. Smaller white spheres interact with the fluid

Briefing

The Yearn Finance legacy yETH product suffered a severe economic exploit stemming from a critical flaw within its custom stableswap pool contract. This logic error enabled a threat actor to bypass standard controls, effectively minting a near-infinite supply of unauthorized yETH tokens to manipulate the pool’s internal state. The immediate consequence was the total depletion of the pool’s liquidity, resulting in a confirmed loss of approximately $9 million in various staked ETH derivatives. This attack demonstrates that even isolated, deprecated components can pose an existential threat to a protocol’s total value locked.

A pristine white sphere, its lower half transitioning into a vibrant blue gradient, rests centrally amidst a formation of granular white and blue material, accompanied by a large translucent blue crystal shard. This entire arrangement floats on a dark, rippled water surface, creating a serene yet dynamic visual

Context

The incident leveraged the inherent risk associated with maintaining complex, custom-built contracts that are no longer actively maintained or integrated into the protocol’s primary security architecture. Despite the protocol’s shift to newer, more audited V3 vaults, the presence of the legacy yETH product created a significant, known attack surface that persisted on the Ethereum mainnet. This class of vulnerability is a direct consequence of decentralized protocols failing to fully decommission deprecated code.

A translucent blue device with a smooth, rounded form factor is depicted against a light grey background. Two clear, rounded protrusions, possibly interactive buttons, and a dark rectangular insert are visible on its surface

Analysis

The exploit targeted a specific flaw in the custom stableswap pool’s internal accounting or mint function logic. By exploiting this vulnerability, the attacker was able to call the minting function under specific conditions that erroneously calculated the output, allowing the creation of an excessive amount of yETH for a minimal input. This newly minted, hyper-inflated supply of yETH was then used to drain the underlying real assets → including wstETH and rETH → from the liquidity pool in a single, atomic transaction. The success of the attack was predicated on the contract’s inability to correctly validate the value of the minted tokens against the deposited collateral.

A close-up view presents a futuristic, metallic hardware device, partially adorned with granular frost, held by a white, textured glove. The device's open face reveals an intricate arrangement of faceted blue and silver geometric forms nestled within its internal structure

Parameters

  • Total Loss Valuation → $9 Million (The confirmed total funds drained from the affected liquidity pools.)
  • Exploit Vector → Infinite Token Minting Logic Flaw (The specific, code-level vulnerability that enabled the attack.)
  • Laundered Funds → ~1,000 ETH (The amount of stolen assets immediately moved to the Tornado Cash mixer.)
  • Affected Product → Legacy yETH Stableswap Pool (The single, isolated contract that contained the vulnerability.)

A close-up view reveals a highly detailed, metallic mechanical component, featuring various shafts and finely machined surfaces, partially submerged within a vibrant, translucent blue material that exhibits a textured, fluid-like appearance with subtle bubbles. The background offers a soft, out-of-focus gradient of blues and grays, emphasizing the intricate foreground subject, suggesting a high-tech operational environment

Outlook

Immediate user mitigation requires confirming that all assets are held in the protocol’s actively managed V3 vaults, as the vulnerability is isolated. The incident reinforces the systemic contagion risk posed by deprecated, unaudited, or custom stableswap logic across the DeFi landscape, necessitating a sector-wide review of legacy contracts. This event will likely establish a new security best practice mandating formal, on-chain decommissioning of all retired smart contracts to eliminate persistent attack surfaces.

A detailed close-up shows a complex, futuristic mechanism composed of shiny silver and translucent blue components. At its core, a cross-shaped structure made of light blue foamy material features a prominent metallic five-pointed star

Verdict

This exploit confirms that legacy smart contract logic, even when isolated from core systems, represents an unacceptable and high-value systemic risk to the digital asset ecosystem.

infinite mint vulnerability, stableswap pool exploit, smart contract logic, defi security breach, token minting flaw, liquidity pool drain, on-chain forensics, reimbursement proposal, legacy contract risk, asset management protocol, decentralized finance, governance vote, token price impact, ethereum blockchain, asset recovery plan, protocol vulnerability, access control failure, pool depletion event, staked eth derivative, multi-asset pool Signal Acquired from → forklog.com

Micro Crypto News Feeds

staked eth

Definition ∞ Staked ETH refers to Ether (ETH) that has been deposited into the Ethereum 2.

decentralized

Definition ∞ Decentralized describes a system or organization that is not controlled by a single central authority.

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

minting logic

Definition ∞ Minting logic defines the predetermined rules and conditions under which new digital assets, such as cryptocurrencies or non-fungible tokens (NFTs), are created or issued on a blockchain.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

on-chain

Definition ∞ On-chain refers to any transaction or data that is recorded and validated directly on a blockchain ledger, making it publicly verifiable and immutable.

smart contract logic

Definition ∞ Smart contract logic refers to the predefined, self-executing code embedded within a smart contract that dictates its behavior and conditions for execution.

Tags:

Tags: