Security

Yearn Legacy Pool Drained by Infinite Token Minting Logic Flaw

A critical logic flaw in a legacy stableswap contract allowed an attacker to mint unauthorized yETH, compromising $9M in deposited assets.
December 1, 20253 min

A detailed view of a central white spherical object, surrounded by a lattice of intersecting metallic rods. These rods are partially covered with clusters of sharp, blue crystalline structures and irregular patches of white, granular, or foamy material, set against a blurred blue background
The image presents a striking abstract composition featuring a central dark circular void and a vibrant field of blue, granular particles. Smooth, undulating white and light blue forms frame the central element

Briefing

The Yearn Finance legacy yETH product suffered a severe economic exploit stemming from a critical flaw within its custom stableswap pool contract. This logic error enabled a threat actor to bypass standard controls, effectively minting a near-infinite supply of unauthorized yETH tokens to manipulate the pool’s internal state. The immediate consequence was the total depletion of the pool’s liquidity, resulting in a confirmed loss of approximately $9 million in various staked ETH derivatives. This attack demonstrates that even isolated, deprecated components can pose an existential threat to a protocol’s total value locked.

A close-up view reveals a highly detailed, metallic mechanical component, featuring various shafts and finely machined surfaces, partially submerged within a vibrant, translucent blue material that exhibits a textured, fluid-like appearance with subtle bubbles. The background offers a soft, out-of-focus gradient of blues and grays, emphasizing the intricate foreground subject, suggesting a high-tech operational environment

Context

The incident leveraged the inherent risk associated with maintaining complex, custom-built contracts that are no longer actively maintained or integrated into the protocol’s primary security architecture. Despite the protocol’s shift to newer, more audited V3 vaults, the presence of the legacy yETH product created a significant, known attack surface that persisted on the Ethereum mainnet. This class of vulnerability is a direct consequence of decentralized protocols failing to fully decommission deprecated code.

A polished, multi-layered metallic mechanism descends into a vibrant, translucent blue liquid, with blue rod-like structures extending from it. White foam actively bubbles at the liquid's surface around the metallic component, set against a soft, light gray background

Analysis

The exploit targeted a specific flaw in the custom stableswap pool’s internal accounting or mint function logic. By exploiting this vulnerability, the attacker was able to call the minting function under specific conditions that erroneously calculated the output, allowing the creation of an excessive amount of yETH for a minimal input. This newly minted, hyper-inflated supply of yETH was then used to drain the underlying real assets → including wstETH and rETH → from the liquidity pool in a single, atomic transaction. The success of the attack was predicated on the contract’s inability to correctly validate the value of the minted tokens against the deposited collateral.

The image features a sophisticated mechanical assembly composed of blue and silver gears, shafts, and rings, intricately intertwined. White granular particles are scattered around and within these components, while a transparent, syringe-like element extends from the left

Parameters

  • Total Loss Valuation → $9 Million (The confirmed total funds drained from the affected liquidity pools.)
  • Exploit Vector → Infinite Token Minting Logic Flaw (The specific, code-level vulnerability that enabled the attack.)
  • Laundered Funds → ~1,000 ETH (The amount of stolen assets immediately moved to the Tornado Cash mixer.)
  • Affected Product → Legacy yETH Stableswap Pool (The single, isolated contract that contained the vulnerability.)

A surreal digital artwork features a textured white vessel, resembling a snow-covered basin, partially submerged in rippling dark blue water. Within this structure, a prominent blue crystalline object, surrounded by smaller sparkling blue fragments, creates dynamic splashes, suggesting motion and energy

Outlook

Immediate user mitigation requires confirming that all assets are held in the protocol’s actively managed V3 vaults, as the vulnerability is isolated. The incident reinforces the systemic contagion risk posed by deprecated, unaudited, or custom stableswap logic across the DeFi landscape, necessitating a sector-wide review of legacy contracts. This event will likely establish a new security best practice mandating formal, on-chain decommissioning of all retired smart contracts to eliminate persistent attack surfaces.

A detailed view presents a sophisticated array of blue and metallic silver modular components, intricately assembled with transparent elements and glowing blue internal conduits. A central, effervescent spherical cluster of particles is prominently featured, appearing to be generated from or integrated into a clear channel

Verdict

This exploit confirms that legacy smart contract logic, even when isolated from core systems, represents an unacceptable and high-value systemic risk to the digital asset ecosystem.

infinite mint vulnerability, stableswap pool exploit, smart contract logic, defi security breach, token minting flaw, liquidity pool drain, on-chain forensics, reimbursement proposal, legacy contract risk, asset management protocol, decentralized finance, governance vote, token price impact, ethereum blockchain, asset recovery plan, protocol vulnerability, access control failure, pool depletion event, staked eth derivative, multi-asset pool Signal Acquired from → forklog.com

Micro Crypto News Feeds

staked eth

Definition ∞ Staked ETH refers to Ether (ETH) that has been deposited into the Ethereum 2.

decentralized

Definition ∞ Decentralized describes a system or organization that is not controlled by a single central authority.

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

minting logic

Definition ∞ Minting logic defines the predetermined rules and conditions under which new digital assets, such as cryptocurrencies or non-fungible tokens (NFTs), are created or issued on a blockchain.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

on-chain

Definition ∞ On-chain refers to any transaction or data that is recorded and validated directly on a blockchain ledger, making it publicly verifiable and immutable.

smart contract logic

Definition ∞ Smart contract logic refers to the predefined, self-executing code embedded within a smart contract that dictates its behavior and conditions for execution.

Tags:

Tags: