Security

Yearn Legacy yETH Pool Drained by Infinite Minting Logic Flaw

A critical logic flaw in a legacy token's minting function enabled a threat actor to create 235 trillion fake tokens, compromising $9 million in liquid staking assets.
December 1, 20253 min

A striking abstract composition features clear and blue crystalline structures, white textured formations, and smooth white and silver spheres emerging from dark blue water under a clear sky. The elements are arranged centrally, creating a sense of balance and depth
Intricate metallic structures are visibly submerged within a luminous, effervescent blue fluid, forming the operational heart of a sophisticated mechanism. Cylindrical components and precise gearing elements are partially visible in the background, hinting at complex internal dynamics

Briefing

A major security incident has impacted the decentralized finance sector, targeting a legacy yETH product. The primary consequence is the total draining of liquidity pools containing liquid staking assets, causing a direct capital loss for users who provided liquidity to the affected pools. The exploit was facilitated by a critical infinite-minting logic flaw in the custom yETH token contract, resulting in a quantifiable loss of approximately $9 million in ETH and various Liquid Staking Tokens.

A white and metallic technological component, partially submerged in dark water, is visibly covered in a layer of frost and ice. From a central aperture within the device, a luminous blue liquid, interspersed with bubbles and crystalline fragments, erupts dynamically

Context

This incident underscores the systemic risk posed by maintaining legacy smart contracts with custom, unaudited logic, particularly those interacting with high-value liquid staking derivatives. The prevailing attack surface remains complex token-to-token interactions within stableswap pools, where minor mathematical or logic errors can be weaponized for total liquidity extraction. The lack of robust, continuous formal verification on older, non-core contracts created an unacceptable security debt.

A detailed view shows an intricate, silver-toned mechanical or electronic component partially submerged in a vibrant, translucent blue liquid, adorned with numerous white bubbles. The metallic structure features precise geometric patterns and exposed internal elements, suggesting advanced engineering

Analysis

The attack vector exploited a flaw within the custom implementation of the yETH token’s minting function, which failed to correctly bound the supply calculation when interacting with the associated stableswap pool. The attacker executed a single transaction to mint an astronomical 235 trillion yETH tokens out of thin air. This artificially inflated token supply was then used to swap for real, underlying assets → specifically ETH and various LSTs → from the Balancer and Curve pools linked to the product, effectively draining the entire pool in a single, atomic operation.

A close-up, angled view depicts a sophisticated, high-tech mechanism with metallic and transparent components. Blue liquid, appearing to flow over and within the structure, illuminates internal pathways and a central processing core, suggesting a vital computational unit

Parameters

  • Total Capital Loss → $9 Million (Total assets drained from the affected yETH stableswap and Curve pools )
  • Vulnerability Type → Infinite Mint Logic Flaw (A bug in the custom token contract’s internal supply calculation )
  • Exploited Asset Quantity → 235 Trillion yETH (The number of fake tokens minted by the threat actor )
  • Affected Contracts → Legacy yETH Stableswap Pool (The older contract implementation, not the V2/V3 vaults )
  • Stolen Assets → ETH and Liquid Staking Tokens (The primary assets removed from the liquidity pools )

A detailed view presents a sharp diagonal divide, separating a structured, white and light grey modular interface from a vibrant, dark blue liquid field filled with effervescent bubbles. A central, dark metallic conduit acts as a critical link between these two distinct environments, suggesting a sophisticated processing unit

Outlook

Immediate mitigation requires the definitive deprecation and de-risking of all legacy contracts with non-standard logic, even those considered non-core to the protocol’s current operations. This exploit will likely establish a new security best practice mandating a zero-tolerance policy for custom token minting logic in high-value pools, driving a shift toward standardized, battle-tested token interfaces. Second-order effects include increased scrutiny on all Liquid Staking Token (LST) derivatives and their integration into complex DeFi primitives across the ecosystem.

A highly detailed render showcases a central metallic cylindrical object, intricately designed with internal spokes. This core component is partially enveloped by a dynamic blue liquid-like substance and a textured white granular material, resembling frost or accumulated particles

Verdict

This exploit confirms that code-level logic flaws in legacy DeFi infrastructure remain the single greatest systemic risk to deposited capital, irrespective of a protocol’s current security maturity.

token minting logic, smart contract logic, liquid staking derivatives, decentralized finance protocol, asset management vault, yield aggregation mechanism, stablecoin swap pool, ethereum virtual machine, on-chain transaction analysis, governance token security, liquidity provision risk, impermanent loss mitigation, protocol treasury management, auditing standards enforcement, multi-asset pool design Signal Acquired from → forklog.com

Micro Crypto News Feeds

decentralized finance

Definition ∞ Decentralized finance, often abbreviated as DeFi, is a system of financial services built on blockchain technology that operates without central intermediaries.

liquid staking derivatives

Definition ∞ Liquid Staking Derivatives (LSDs) are tokenized representations of staked cryptocurrencies, allowing users to retain liquidity while participating in proof-of-stake network validation.

token supply

Definition ∞ Token Supply refers to the total quantity of a specific cryptocurrency or digital asset in existence at any given time.

capital loss

Definition ∞ Capital loss occurs when a digital asset is sold for less than its acquisition price.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

threat actor

Definition ∞ A threat actor is an individual or group that poses a risk to information systems and data security.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

systemic risk

Definition ∞ Systemic risk refers to the danger that the failure of one component within a financial system could trigger a cascade of failures across the entire network.

Tags:

Tags: