Security

Yearn Legacy Token Exploit Drains Nine Million Dollars via Infinite Minting Flaw

A critical logic flaw in the legacy yETH stableswap contract enabled an infinite token mint, directly compromising $9M in liquidity.
December 1, 20253 min

The image presents a complex interplay of translucent blue liquid and metallic structures, featuring a central block with intricate patterns and a prominent concentric ring element. Small, bubble-like formations are visible within the flowing blue substance, suggesting dynamic processes
A transparent wearable device with a circular display is positioned on a detailed blue circuit board. The electronic pathways on the board represent the complex infrastructure of blockchain technology

Briefing

A sophisticated attacker exploited a critical logic flaw in the Yearn Finance legacy yETH token contract, enabling the unauthorized minting of a near-infinite token supply. This supply manipulation allowed the attacker to drain associated Balancer and Curve liquidity pools by swapping the fake tokens for real assets. The primary consequence is an immediate capital loss and a systemic failure of trust in the deprecated contract’s security posture. Forensic analysis confirms a total loss of approximately $9 million, with a portion immediately routed through a privacy mixer.

The foreground features a white, segmented, robotic-looking structure arranged in a cross-like formation, sharply defined against a soft gray background. Behind it, a blurred, dark blue, circuit-like structure glows with scattered bright blue lights, creating a sense of depth and advanced technology

Context

The prevailing risk factor in this incident was the continued existence of a legacy smart contract that was no longer actively maintained but still held significant user liquidity. This outdated architecture, specifically a custom stableswap implementation, created a vulnerable attack surface separate from the protocol’s modern, audited V2 and V3 vaults. The known class of vulnerability leveraged here is a token minting logic error, a high-severity flaw that grants complete control over asset supply when triggered.

A white, circuit-patterned cylinder, suggestive of a data conduit, is centrally positioned, passing through a dense, blue-lit toroidal structure. This intricate structure is composed of countless interconnected metallic blocks, radiating a digital glow

Analysis

The attacker compromised the yETH token contract, which contained a flaw in its custom stableswap logic that governs the token’s minting function. This logic error allowed the creation of an astronomical number of yETH tokens → estimated at 235 trillion → in a single transaction. The chain of effect began with the attacker leveraging this newly minted, worthless supply to exchange it for valuable, liquid assets (ETH and LSTs) from the paired Balancer and Curve liquidity pools.

The success of the exploit was due to the external pools trusting the inflated, fake yETH balance as valid collateral for a swap, thereby draining the real assets. The rapid execution and immediate laundering of approximately $3 million in ETH through a privacy protocol confirm a high level of operational security from the threat actor.

A sleek, futuristic white and metallic cylindrical apparatus rests partially submerged in dark blue water. From its open end, a significant volume of white, granular substance and vibrant blue particles ejects, creating turbulent ripples

Parameters

  • Total Funds Lost → $9 Million (The combined approximate loss from the yETH stableswap pool and the yETH-WETH Curve pool).
  • Exploit Vector → Infinite Token Minting Flaw (A logic error in the custom yETH stableswap contract).
  • Laundered Amount → 1,000 ETH (Approximately $3 million, sent to Tornado Cash to obscure the trail).
  • Vulnerable Component → Legacy yETH Stableswap Pool (The specific contract containing the minting logic flaw, isolated from V2/V3 vaults).

Central to the image is a metallic core flanked by translucent blue, geometric components, all surrounded by a vibrant, frothy white substance. These elements combine to depict an intricate digital process

Outlook

Immediate mitigation for users involved in similar legacy systems is to withdraw all capital from any deprecated or unmaintained contracts, regardless of past audit history. The second-order effect is a heightened contagion risk for other protocols that rely on custom stableswap code or maintain similar legacy infrastructure, mandating immediate, comprehensive code review. This incident establishes a new security best practice → the implementation of mandatory, irreversible contract decommissioning to prevent future exploitation of dormant, yet funded, attack vectors.

A close-up view reveals a polished, silver-toned mechanical component, resembling a gear or engine part, intricately intertwined with a translucent, textured blue substance. This fluid material appears to flow and shimmer around the metallic structure, exhibiting varying depths of vivid blue and bright internal illumination

Verdict

The Yearn legacy exploit is a definitive case study proving that unmaintained, funded smart contracts represent an unacceptable, systemic liability that must be zeroed out to secure the digital asset ecosystem.

Infinite token minting, Logic flaw exploit, Stableswap pool drain, Legacy contract risk, Asset minting vulnerability, Liquidity pool compromise, Token supply manipulation, On-chain forensics, Smart contract audit, Code-level vulnerability, Decentralized finance security, Multi-step exploit, Cross-protocol risk, Token economics failure, External dependency risk, On-chain loss, Asset security, Protocol risk management, DeFi exploit vector, Financial system integrity, Code logic failure, Token contract flaw, Stolen funds laundering, Privacy protocol use, Single transaction attack Signal Acquired from → forklog.com

Micro Crypto News Feeds

supply manipulation

Definition ∞ Supply manipulation involves illicit actions taken to artificially influence the circulating quantity or perceived scarcity of a digital asset, thereby impacting its market price.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

liquidity pools

Definition ∞ Liquidity pools are pools of digital assets locked in smart contracts, used to facilitate decentralized trading.

privacy protocol

Definition ∞ A privacy protocol is a set of rules and technologies designed to safeguard the confidentiality of user data and transaction details within a digital system.

funds

Definition ∞ Funds, in the context of digital assets, refer to pools of capital pooled together for investment in cryptocurrencies, tokens, or other digital ventures.

exploit vector

Definition ∞ An exploit vector identifies a specific pathway or method through which a vulnerability in a digital asset system or protocol can be compromised.

eth

Definition ∞ ETH is the native cryptocurrency of the Ethereum blockchain.

minting logic

Definition ∞ Minting logic defines the predetermined rules and conditions under which new digital assets, such as cryptocurrencies or non-fungible tokens (NFTs), are created or issued on a blockchain.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: