Security

Yearn Legacy Token Exploit Drains Nine Million Dollars via Infinite Minting Flaw

A critical logic flaw in the legacy yETH stableswap contract enabled an infinite token mint, directly compromising $9M in liquidity.
December 1, 20253 min

A futuristic mechanical device, composed of metallic silver and blue components, is prominently featured, partially covered in a fine white frost or crystalline substance. The central blue element glows softly, indicating internal activity within the complex, modular structure
The image displays a detailed, abstract composition centered on a symmetrical, metallic blue and white 'X' shaped structure. This central element is surrounded and partially integrated into a textured, white, bubbly matrix, creating a sense of depth and complex interweaving

Briefing

A sophisticated attacker exploited a critical logic flaw in the Yearn Finance legacy yETH token contract, enabling the unauthorized minting of a near-infinite token supply. This supply manipulation allowed the attacker to drain associated Balancer and Curve liquidity pools by swapping the fake tokens for real assets. The primary consequence is an immediate capital loss and a systemic failure of trust in the deprecated contract’s security posture. Forensic analysis confirms a total loss of approximately $9 million, with a portion immediately routed through a privacy mixer.

A close-up view reveals a sleek, high-tech metallic and dark blue module, centrally featuring the distinct Ethereum emblem on its silver surface. Numerous blue wires are intricately woven around and connected to various components, including a textured metallic dial and digital displays showing "0" and "01"

Context

The prevailing risk factor in this incident was the continued existence of a legacy smart contract that was no longer actively maintained but still held significant user liquidity. This outdated architecture, specifically a custom stableswap implementation, created a vulnerable attack surface separate from the protocol’s modern, audited V2 and V3 vaults. The known class of vulnerability leveraged here is a token minting logic error, a high-severity flaw that grants complete control over asset supply when triggered.

A vibrant blue, intricately structured translucent form dominates the foreground, set against a blurred background of metallic cylindrical and gear-like components. The detailed blue lattice appears to flow and connect, highlighting its complex internal structure and reflective surfaces

Analysis

The attacker compromised the yETH token contract, which contained a flaw in its custom stableswap logic that governs the token’s minting function. This logic error allowed the creation of an astronomical number of yETH tokens → estimated at 235 trillion → in a single transaction. The chain of effect began with the attacker leveraging this newly minted, worthless supply to exchange it for valuable, liquid assets (ETH and LSTs) from the paired Balancer and Curve liquidity pools.

The success of the exploit was due to the external pools trusting the inflated, fake yETH balance as valid collateral for a swap, thereby draining the real assets. The rapid execution and immediate laundering of approximately $3 million in ETH through a privacy protocol confirm a high level of operational security from the threat actor.

A meticulously crafted metallic mechanism, featuring intricate gears and ruby-like accents, is positioned on a vibrant blue base embossed with complex circuit board patterns. This visual metaphor directly represents the intricate workings of decentralized autonomous organizations DAOs and the underlying tokenomics that govern them

Parameters

  • Total Funds Lost → $9 Million (The combined approximate loss from the yETH stableswap pool and the yETH-WETH Curve pool).
  • Exploit Vector → Infinite Token Minting Flaw (A logic error in the custom yETH stableswap contract).
  • Laundered Amount → 1,000 ETH (Approximately $3 million, sent to Tornado Cash to obscure the trail).
  • Vulnerable Component → Legacy yETH Stableswap Pool (The specific contract containing the minting logic flaw, isolated from V2/V3 vaults).

The image presents a striking visual juxtaposition of a dark, snow-covered rock formation on the left and a luminous blue crystalline structure on the right, separated by a reflective vertical panel. White mist emanates from the base, spreading across a reflective surface

Outlook

Immediate mitigation for users involved in similar legacy systems is to withdraw all capital from any deprecated or unmaintained contracts, regardless of past audit history. The second-order effect is a heightened contagion risk for other protocols that rely on custom stableswap code or maintain similar legacy infrastructure, mandating immediate, comprehensive code review. This incident establishes a new security best practice → the implementation of mandatory, irreversible contract decommissioning to prevent future exploitation of dormant, yet funded, attack vectors.

A vibrant blue, translucent fluid element appears to flow continuously above a complex, dark blue transparent mechanism. This mechanism, intricately detailed with internal structures, is mounted on a robust, dark gray ribbed base, against a soft, blurred background of light gray and deep blue forms

Verdict

The Yearn legacy exploit is a definitive case study proving that unmaintained, funded smart contracts represent an unacceptable, systemic liability that must be zeroed out to secure the digital asset ecosystem.

Infinite token minting, Logic flaw exploit, Stableswap pool drain, Legacy contract risk, Asset minting vulnerability, Liquidity pool compromise, Token supply manipulation, On-chain forensics, Smart contract audit, Code-level vulnerability, Decentralized finance security, Multi-step exploit, Cross-protocol risk, Token economics failure, External dependency risk, On-chain loss, Asset security, Protocol risk management, DeFi exploit vector, Financial system integrity, Code logic failure, Token contract flaw, Stolen funds laundering, Privacy protocol use, Single transaction attack Signal Acquired from → forklog.com

Micro Crypto News Feeds

supply manipulation

Definition ∞ Supply manipulation involves illicit actions taken to artificially influence the circulating quantity or perceived scarcity of a digital asset, thereby impacting its market price.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

liquidity pools

Definition ∞ Liquidity pools are pools of digital assets locked in smart contracts, used to facilitate decentralized trading.

privacy protocol

Definition ∞ A privacy protocol is a set of rules and technologies designed to safeguard the confidentiality of user data and transaction details within a digital system.

funds

Definition ∞ Funds, in the context of digital assets, refer to pools of capital pooled together for investment in cryptocurrencies, tokens, or other digital ventures.

exploit vector

Definition ∞ An exploit vector identifies a specific pathway or method through which a vulnerability in a digital asset system or protocol can be compromised.

eth

Definition ∞ ETH is the native cryptocurrency of the Ethereum blockchain.

minting logic

Definition ∞ Minting logic defines the predetermined rules and conditions under which new digital assets, such as cryptocurrencies or non-fungible tokens (NFTs), are created or issued on a blockchain.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

Tags:

Tags: