Security

Yearn Legacy yETH Pool Drained by Infinite Minting Logic Flaw

A critical logic flaw in a legacy token's minting function enabled a threat actor to create 235 trillion fake tokens, compromising $9 million in liquid staking assets.
December 1, 20253 min

An intricate close-up reveals a sophisticated technological apparatus, showcasing a luminous blue liquid contained within a sleek, metallic hexagonal frame. The fluid actively churns, creating a captivating vortex effect adorned with numerous small bubbles at its base
A close-up view reveals a transparent blue module, resembling a core blockchain protocol component, interacting with a bubbly, agitated liquid. Its visible internal mechanisms suggest an active transaction execution engine, while metallic rings could represent critical staking pool gateways or oracle network feeds

Briefing

A major security incident has impacted the decentralized finance sector, targeting a legacy yETH product. The primary consequence is the total draining of liquidity pools containing liquid staking assets, causing a direct capital loss for users who provided liquidity to the affected pools. The exploit was facilitated by a critical infinite-minting logic flaw in the custom yETH token contract, resulting in a quantifiable loss of approximately $9 million in ETH and various Liquid Staking Tokens.

The image displays a close-up of a high-tech hardware assembly, featuring intricately shaped, translucent blue liquid cooling conduits flowing over metallic components. Clear tubing and wiring connect various modules on a polished, silver-grey chassis, revealing a complex internal architecture

Context

This incident underscores the systemic risk posed by maintaining legacy smart contracts with custom, unaudited logic, particularly those interacting with high-value liquid staking derivatives. The prevailing attack surface remains complex token-to-token interactions within stableswap pools, where minor mathematical or logic errors can be weaponized for total liquidity extraction. The lack of robust, continuous formal verification on older, non-core contracts created an unacceptable security debt.

The image displays a close-up of a high-tech mechanism featuring a central circular component filled with vibrant blue liquid, surrounded by numerous small, transparent spheres. This intricate hardware setup is characterized by metallic finishes, blue glowing accents, and a dark, structured base

Analysis

The attack vector exploited a flaw within the custom implementation of the yETH token’s minting function, which failed to correctly bound the supply calculation when interacting with the associated stableswap pool. The attacker executed a single transaction to mint an astronomical 235 trillion yETH tokens out of thin air. This artificially inflated token supply was then used to swap for real, underlying assets → specifically ETH and various LSTs → from the Balancer and Curve pools linked to the product, effectively draining the entire pool in a single, atomic operation.

A translucent, effervescent blue liquid forms a dynamic, swirling structure, appearing to encapsulate or interact with a metallic component. The vivid blue liquid, adorned with white foam, represents the intricate flow of digital assets and data streams within a decentralized finance DeFi ecosystem

Parameters

  • Total Capital Loss → $9 Million (Total assets drained from the affected yETH stableswap and Curve pools )
  • Vulnerability Type → Infinite Mint Logic Flaw (A bug in the custom token contract’s internal supply calculation )
  • Exploited Asset Quantity → 235 Trillion yETH (The number of fake tokens minted by the threat actor )
  • Affected Contracts → Legacy yETH Stableswap Pool (The older contract implementation, not the V2/V3 vaults )
  • Stolen Assets → ETH and Liquid Staking Tokens (The primary assets removed from the liquidity pools )

A striking abstract composition features clear and blue crystalline structures, white textured formations, and smooth white and silver spheres emerging from dark blue water under a clear sky. The elements are arranged centrally, creating a sense of balance and depth

Outlook

Immediate mitigation requires the definitive deprecation and de-risking of all legacy contracts with non-standard logic, even those considered non-core to the protocol’s current operations. This exploit will likely establish a new security best practice mandating a zero-tolerance policy for custom token minting logic in high-value pools, driving a shift toward standardized, battle-tested token interfaces. Second-order effects include increased scrutiny on all Liquid Staking Token (LST) derivatives and their integration into complex DeFi primitives across the ecosystem.

A futuristic white capsule-like device, split into two segments, rests amidst dynamic blue liquid. Bright blue glowing particles emanate from the central opening of the device, dispersing into the surrounding translucent medium

Verdict

This exploit confirms that code-level logic flaws in legacy DeFi infrastructure remain the single greatest systemic risk to deposited capital, irrespective of a protocol’s current security maturity.

token minting logic, smart contract logic, liquid staking derivatives, decentralized finance protocol, asset management vault, yield aggregation mechanism, stablecoin swap pool, ethereum virtual machine, on-chain transaction analysis, governance token security, liquidity provision risk, impermanent loss mitigation, protocol treasury management, auditing standards enforcement, multi-asset pool design Signal Acquired from → forklog.com

Micro Crypto News Feeds

decentralized finance

Definition ∞ Decentralized finance, often abbreviated as DeFi, is a system of financial services built on blockchain technology that operates without central intermediaries.

liquid staking derivatives

Definition ∞ Liquid Staking Derivatives (LSDs) are tokenized representations of staked cryptocurrencies, allowing users to retain liquidity while participating in proof-of-stake network validation.

token supply

Definition ∞ Token Supply refers to the total quantity of a specific cryptocurrency or digital asset in existence at any given time.

capital loss

Definition ∞ Capital loss occurs when a digital asset is sold for less than its acquisition price.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

threat actor

Definition ∞ A threat actor is an individual or group that poses a risk to information systems and data security.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

systemic risk

Definition ∞ Systemic risk refers to the danger that the failure of one component within a financial system could trigger a cascade of failures across the entire network.

Tags:

Tags: