Security

Yearn Legacy Token Exploit Drains Nine Million Dollars via Infinite Minting Flaw

A critical logic flaw in the legacy yETH stableswap contract enabled an infinite token mint, directly compromising $9M in liquidity.
December 1, 20253 min

A series of white, conical interface modules emerge from a light grey, grid-patterned wall, each surrounded by a dense, circular arrangement of dark blue, angular computational blocks. Delicate white wires connect these blue blocks to the central white module and the wall, depicting an intricate technological assembly
A close-up view reveals a highly detailed, metallic mechanical component, featuring various shafts and finely machined surfaces, partially submerged within a vibrant, translucent blue material that exhibits a textured, fluid-like appearance with subtle bubbles. The background offers a soft, out-of-focus gradient of blues and grays, emphasizing the intricate foreground subject, suggesting a high-tech operational environment

Briefing

A sophisticated attacker exploited a critical logic flaw in the Yearn Finance legacy yETH token contract, enabling the unauthorized minting of a near-infinite token supply. This supply manipulation allowed the attacker to drain associated Balancer and Curve liquidity pools by swapping the fake tokens for real assets. The primary consequence is an immediate capital loss and a systemic failure of trust in the deprecated contract’s security posture. Forensic analysis confirms a total loss of approximately $9 million, with a portion immediately routed through a privacy mixer.

The image presents a striking close-up of a crumpled, translucent object filled with a vibrant blue liquid, adorned with numerous white bubbles. A distinct metallic silver ring is integrated into the left side of the object, all set against a soft, light gray background

Context

The prevailing risk factor in this incident was the continued existence of a legacy smart contract that was no longer actively maintained but still held significant user liquidity. This outdated architecture, specifically a custom stableswap implementation, created a vulnerable attack surface separate from the protocol’s modern, audited V2 and V3 vaults. The known class of vulnerability leveraged here is a token minting logic error, a high-severity flaw that grants complete control over asset supply when triggered.

An abstract, dark, multi-layered object with intricate, organic-like cutouts is depicted, covered and surrounded by a multitude of small, glowing blue and white particles. These particles appear to flow dynamically across its surface and through its internal structures, creating a sense of movement and digital interaction

Analysis

The attacker compromised the yETH token contract, which contained a flaw in its custom stableswap logic that governs the token’s minting function. This logic error allowed the creation of an astronomical number of yETH tokens → estimated at 235 trillion → in a single transaction. The chain of effect began with the attacker leveraging this newly minted, worthless supply to exchange it for valuable, liquid assets (ETH and LSTs) from the paired Balancer and Curve liquidity pools.

The success of the exploit was due to the external pools trusting the inflated, fake yETH balance as valid collateral for a swap, thereby draining the real assets. The rapid execution and immediate laundering of approximately $3 million in ETH through a privacy protocol confirm a high level of operational security from the threat actor.

A close-up reveals a central processing unit CPU prominently featuring the Ethereum logo, embedded within a complex array of metallic structures and vibrant blue, glowing pathways. This detailed rendering visually represents the core of the Ethereum blockchain's operational infrastructure

Parameters

  • Total Funds Lost → $9 Million (The combined approximate loss from the yETH stableswap pool and the yETH-WETH Curve pool).
  • Exploit Vector → Infinite Token Minting Flaw (A logic error in the custom yETH stableswap contract).
  • Laundered Amount → 1,000 ETH (Approximately $3 million, sent to Tornado Cash to obscure the trail).
  • Vulnerable Component → Legacy yETH Stableswap Pool (The specific contract containing the minting logic flaw, isolated from V2/V3 vaults).

A detailed close-up presents a textured, deep blue organic lattice structure partially obscuring polished metallic components. Visible through the openings are sleek silver bars and dark, circular mechanisms, suggesting a sophisticated internal engine

Outlook

Immediate mitigation for users involved in similar legacy systems is to withdraw all capital from any deprecated or unmaintained contracts, regardless of past audit history. The second-order effect is a heightened contagion risk for other protocols that rely on custom stableswap code or maintain similar legacy infrastructure, mandating immediate, comprehensive code review. This incident establishes a new security best practice → the implementation of mandatory, irreversible contract decommissioning to prevent future exploitation of dormant, yet funded, attack vectors.

The foreground features a cluster of irregularly faceted, translucent blue and clear crystal-like structures, interconnected by numerous dark strands. Smooth, white, urn-shaped objects with intricate internal mechanisms are positioned around this core, also linked by thin rods

Verdict

The Yearn legacy exploit is a definitive case study proving that unmaintained, funded smart contracts represent an unacceptable, systemic liability that must be zeroed out to secure the digital asset ecosystem.

Infinite token minting, Logic flaw exploit, Stableswap pool drain, Legacy contract risk, Asset minting vulnerability, Liquidity pool compromise, Token supply manipulation, On-chain forensics, Smart contract audit, Code-level vulnerability, Decentralized finance security, Multi-step exploit, Cross-protocol risk, Token economics failure, External dependency risk, On-chain loss, Asset security, Protocol risk management, DeFi exploit vector, Financial system integrity, Code logic failure, Token contract flaw, Stolen funds laundering, Privacy protocol use, Single transaction attack Signal Acquired from → forklog.com

Micro Crypto News Feeds

supply manipulation

Definition ∞ Supply manipulation involves illicit actions taken to artificially influence the circulating quantity or perceived scarcity of a digital asset, thereby impacting its market price.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

liquidity pools

Definition ∞ Liquidity pools are pools of digital assets locked in smart contracts, used to facilitate decentralized trading.

privacy protocol

Definition ∞ A privacy protocol is a set of rules and technologies designed to safeguard the confidentiality of user data and transaction details within a digital system.

funds

Definition ∞ Funds, in the context of digital assets, refer to pools of capital pooled together for investment in cryptocurrencies, tokens, or other digital ventures.

exploit vector

Definition ∞ An exploit vector identifies a specific pathway or method through which a vulnerability in a digital asset system or protocol can be compromised.

eth

Definition ∞ ETH is the native cryptocurrency of the Ethereum blockchain.

minting logic

Definition ∞ Minting logic defines the predetermined rules and conditions under which new digital assets, such as cryptocurrencies or non-fungible tokens (NFTs), are created or issued on a blockchain.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: