Security

Yearn Legacy yETH Pool Drained by Infinite Minting Logic Flaw

A critical logic flaw in a legacy token's minting function enabled a threat actor to create 235 trillion fake tokens, compromising $9 million in liquid staking assets.
December 1, 20253 min

A pristine white sphere, resembling a valuable digital asset, is suspended within a vibrant, translucent blue structure. This structure, reminiscent of frozen liquid or crystalline data, is partially adorned with white, textured frost along its edges, creating a sense of depth and complexity
Abstract, sleek white and transparent metallic structures dynamically interact with a vibrant blue granular substrate, creating a splash effect and reflecting on a rippled, deep blue liquid surface. The background features a subtle mist, enhancing the futuristic and impactful scene

Briefing

A major security incident has impacted the decentralized finance sector, targeting a legacy yETH product. The primary consequence is the total draining of liquidity pools containing liquid staking assets, causing a direct capital loss for users who provided liquidity to the affected pools. The exploit was facilitated by a critical infinite-minting logic flaw in the custom yETH token contract, resulting in a quantifiable loss of approximately $9 million in ETH and various Liquid Staking Tokens.

A futuristic white capsule-like device, split into two segments, rests amidst dynamic blue liquid. Bright blue glowing particles emanate from the central opening of the device, dispersing into the surrounding translucent medium

Context

This incident underscores the systemic risk posed by maintaining legacy smart contracts with custom, unaudited logic, particularly those interacting with high-value liquid staking derivatives. The prevailing attack surface remains complex token-to-token interactions within stableswap pools, where minor mathematical or logic errors can be weaponized for total liquidity extraction. The lack of robust, continuous formal verification on older, non-core contracts created an unacceptable security debt.

A highly reflective, abstract metallic object, resembling a fluid digital asset, is partially submerged in tranquil blue water, flanked by intricate white and blue icy formations. This striking imagery symbolizes the dynamic landscape of decentralized finance, where a new digital asset or token emerges from a liquidity pool

Analysis

The attack vector exploited a flaw within the custom implementation of the yETH token’s minting function, which failed to correctly bound the supply calculation when interacting with the associated stableswap pool. The attacker executed a single transaction to mint an astronomical 235 trillion yETH tokens out of thin air. This artificially inflated token supply was then used to swap for real, underlying assets → specifically ETH and various LSTs → from the Balancer and Curve pools linked to the product, effectively draining the entire pool in a single, atomic operation.

The image displays a transparent, ring-like structure containing a textured, frothy blue substance. A white spherical object is suspended centrally, with a thin stream of clear liquid flowing over the blue substance and around the sphere

Parameters

  • Total Capital Loss → $9 Million (Total assets drained from the affected yETH stableswap and Curve pools )
  • Vulnerability Type → Infinite Mint Logic Flaw (A bug in the custom token contract’s internal supply calculation )
  • Exploited Asset Quantity → 235 Trillion yETH (The number of fake tokens minted by the threat actor )
  • Affected Contracts → Legacy yETH Stableswap Pool (The older contract implementation, not the V2/V3 vaults )
  • Stolen Assets → ETH and Liquid Staking Tokens (The primary assets removed from the liquidity pools )

A detailed view of a metallic, blue-accented mechanical object immersed in a dynamic, bubbly blue liquid. The object features a multi-layered, hexagonal design with visible internal components, while the liquid flows around it, covered in countless small, bright bubbles against a soft grey background

Outlook

Immediate mitigation requires the definitive deprecation and de-risking of all legacy contracts with non-standard logic, even those considered non-core to the protocol’s current operations. This exploit will likely establish a new security best practice mandating a zero-tolerance policy for custom token minting logic in high-value pools, driving a shift toward standardized, battle-tested token interfaces. Second-order effects include increased scrutiny on all Liquid Staking Token (LST) derivatives and their integration into complex DeFi primitives across the ecosystem.

The image showcases a series of transparent, bulbous containers partially filled with a textured, deep blue substance, interconnected by slender metallic wires and capped with cylindrical silver components. The foreground elements are sharply focused, while the background blurs into a soft grey, emphasizing the intricate central arrangement

Verdict

This exploit confirms that code-level logic flaws in legacy DeFi infrastructure remain the single greatest systemic risk to deposited capital, irrespective of a protocol’s current security maturity.

token minting logic, smart contract logic, liquid staking derivatives, decentralized finance protocol, asset management vault, yield aggregation mechanism, stablecoin swap pool, ethereum virtual machine, on-chain transaction analysis, governance token security, liquidity provision risk, impermanent loss mitigation, protocol treasury management, auditing standards enforcement, multi-asset pool design Signal Acquired from → forklog.com

Micro Crypto News Feeds

decentralized finance

Definition ∞ Decentralized finance, often abbreviated as DeFi, is a system of financial services built on blockchain technology that operates without central intermediaries.

liquid staking derivatives

Definition ∞ Liquid Staking Derivatives (LSDs) are tokenized representations of staked cryptocurrencies, allowing users to retain liquidity while participating in proof-of-stake network validation.

token supply

Definition ∞ Token Supply refers to the total quantity of a specific cryptocurrency or digital asset in existence at any given time.

capital loss

Definition ∞ Capital loss occurs when a digital asset is sold for less than its acquisition price.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

threat actor

Definition ∞ A threat actor is an individual or group that poses a risk to information systems and data security.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

systemic risk

Definition ∞ Systemic risk refers to the danger that the failure of one component within a financial system could trigger a cascade of failures across the entire network.

Tags:

Tags: