Security

Yearn Legacy Pool Drained by Infinite Token Minting Logic Flaw

A critical logic flaw in a legacy stableswap contract allowed an attacker to mint unauthorized yETH, compromising $9M in deposited assets.
December 1, 20253 min

A futuristic metallic device, possibly a satellite or specialized node, is partially submerged in a calm body of water. From its lower section, a vigorous stream of bright blue liquid, intermingled with white foam, forcefully ejects, creating dynamic ripples and splashes on the water's surface
A white, textured sphere is positioned on a reflective surface, with metallic rods extending behind it towards a circular, metallic structure. Intertwined with the rods and within a translucent, scoop-like container, a mix of white and blue granular material appears to flow

Briefing

The Yearn Finance legacy yETH product suffered a severe economic exploit stemming from a critical flaw within its custom stableswap pool contract. This logic error enabled a threat actor to bypass standard controls, effectively minting a near-infinite supply of unauthorized yETH tokens to manipulate the pool’s internal state. The immediate consequence was the total depletion of the pool’s liquidity, resulting in a confirmed loss of approximately $9 million in various staked ETH derivatives. This attack demonstrates that even isolated, deprecated components can pose an existential threat to a protocol’s total value locked.

A close-up view reveals a multi-faceted, transparent object with sharp geometric edges, encasing a smooth, amorphous blue mass within its core. The interplay of light through the clear material highlights the vibrant blue interior and the intricate structure of the outer shell

Context

The incident leveraged the inherent risk associated with maintaining complex, custom-built contracts that are no longer actively maintained or integrated into the protocol’s primary security architecture. Despite the protocol’s shift to newer, more audited V3 vaults, the presence of the legacy yETH product created a significant, known attack surface that persisted on the Ethereum mainnet. This class of vulnerability is a direct consequence of decentralized protocols failing to fully decommission deprecated code.

A highly reflective, abstract metallic object, resembling a fluid digital asset, is partially submerged in tranquil blue water, flanked by intricate white and blue icy formations. This striking imagery symbolizes the dynamic landscape of decentralized finance, where a new digital asset or token emerges from a liquidity pool

Analysis

The exploit targeted a specific flaw in the custom stableswap pool’s internal accounting or mint function logic. By exploiting this vulnerability, the attacker was able to call the minting function under specific conditions that erroneously calculated the output, allowing the creation of an excessive amount of yETH for a minimal input. This newly minted, hyper-inflated supply of yETH was then used to drain the underlying real assets → including wstETH and rETH → from the liquidity pool in a single, atomic transaction. The success of the attack was predicated on the contract’s inability to correctly validate the value of the minted tokens against the deposited collateral.

A sophisticated, silver-grey hardware device with dark trim is presented from an elevated perspective, showcasing its transparent top panel. Within this panel, two prominent, icy blue, crystalline formations are visible, appearing to encase internal components

Parameters

  • Total Loss Valuation → $9 Million (The confirmed total funds drained from the affected liquidity pools.)
  • Exploit Vector → Infinite Token Minting Logic Flaw (The specific, code-level vulnerability that enabled the attack.)
  • Laundered Funds → ~1,000 ETH (The amount of stolen assets immediately moved to the Tornado Cash mixer.)
  • Affected Product → Legacy yETH Stableswap Pool (The single, isolated contract that contained the vulnerability.)

A close-up view presents a highly detailed metallic component, possibly a specialized bearing or engine part, immersed in a dynamic field of white, frothy bubbles. The underlying structure appears to be a deep blue, multi-faceted material, suggesting a complex internal system

Outlook

Immediate user mitigation requires confirming that all assets are held in the protocol’s actively managed V3 vaults, as the vulnerability is isolated. The incident reinforces the systemic contagion risk posed by deprecated, unaudited, or custom stableswap logic across the DeFi landscape, necessitating a sector-wide review of legacy contracts. This event will likely establish a new security best practice mandating formal, on-chain decommissioning of all retired smart contracts to eliminate persistent attack surfaces.

A central metallic protocol mechanism, intricately designed with visible apertures, is depicted surrounded by a dynamic, luminous blue fluid. This fluid, resembling a liquidity pool, exhibits flowing motion, highlighting the metallic component's precision engineering

Verdict

This exploit confirms that legacy smart contract logic, even when isolated from core systems, represents an unacceptable and high-value systemic risk to the digital asset ecosystem.

infinite mint vulnerability, stableswap pool exploit, smart contract logic, defi security breach, token minting flaw, liquidity pool drain, on-chain forensics, reimbursement proposal, legacy contract risk, asset management protocol, decentralized finance, governance vote, token price impact, ethereum blockchain, asset recovery plan, protocol vulnerability, access control failure, pool depletion event, staked eth derivative, multi-asset pool Signal Acquired from → forklog.com

Micro Crypto News Feeds

staked eth

Definition ∞ Staked ETH refers to Ether (ETH) that has been deposited into the Ethereum 2.

decentralized

Definition ∞ Decentralized describes a system or organization that is not controlled by a single central authority.

liquidity pool

Liquidity Pool ∞ is a collection of cryptocurrency tokens locked in a smart contract, typically used to facilitate decentralized trading.

liquidity

Definition ∞ Liquidity refers to the degree to which an asset can be quickly converted into cash or another asset without significantly affecting its market price.

minting logic

Definition ∞ Minting logic defines the predetermined rules and conditions under which new digital assets, such as cryptocurrencies or non-fungible tokens (NFTs), are created or issued on a blockchain.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

on-chain

Definition ∞ On-chain refers to any transaction or data that is recorded and validated directly on a blockchain ledger, making it publicly verifiable and immutable.

smart contract logic

Definition ∞ Smart contract logic refers to the predefined, self-executing code embedded within a smart contract that dictates its behavior and conditions for execution.

Tags:

Tags: