Security

Yearn Legacy yETH Pool Drained by Infinite Minting Logic Flaw

A critical logic flaw in a legacy token's minting function enabled a threat actor to create 235 trillion fake tokens, compromising $9 million in liquid staking assets.
December 1, 20253 min

The image displays a close-up of a high-tech hardware assembly, featuring intricately shaped, translucent blue liquid cooling conduits flowing over metallic components. Clear tubing and wiring connect various modules on a polished, silver-grey chassis, revealing a complex internal architecture
This detailed render showcases a sophisticated, spherical computing module with interlocking metallic and white composite panels. A vibrant, bubbling blue liquid sphere is integrated at the top, while a granular white-rimmed aperture reveals a glowing blue core at the front

Briefing

A major security incident has impacted the decentralized finance sector, targeting a legacy yETH product. The primary consequence is the total draining of liquidity pools containing liquid staking assets, causing a direct capital loss for users who provided liquidity to the affected pools. The exploit was facilitated by a critical infinite-minting logic flaw in the custom yETH token contract, resulting in a quantifiable loss of approximately $9 million in ETH and various Liquid Staking Tokens.

The image showcases precisely engineered metallic and dark blue components, dynamically integrated with translucent, flowing blue liquid. This visual metaphor illustrates a sophisticated modular blockchain architecture, where various protocol layers are interconnected and function in unison, reflecting the complex interplay within a decentralized network

Context

This incident underscores the systemic risk posed by maintaining legacy smart contracts with custom, unaudited logic, particularly those interacting with high-value liquid staking derivatives. The prevailing attack surface remains complex token-to-token interactions within stableswap pools, where minor mathematical or logic errors can be weaponized for total liquidity extraction. The lack of robust, continuous formal verification on older, non-core contracts created an unacceptable security debt.

A highly reflective, abstract metallic object, resembling a fluid digital asset, is partially submerged in tranquil blue water, flanked by intricate white and blue icy formations. This striking imagery symbolizes the dynamic landscape of decentralized finance, where a new digital asset or token emerges from a liquidity pool

Analysis

The attack vector exploited a flaw within the custom implementation of the yETH token’s minting function, which failed to correctly bound the supply calculation when interacting with the associated stableswap pool. The attacker executed a single transaction to mint an astronomical 235 trillion yETH tokens out of thin air. This artificially inflated token supply was then used to swap for real, underlying assets → specifically ETH and various LSTs → from the Balancer and Curve pools linked to the product, effectively draining the entire pool in a single, atomic operation.

A detailed close-up reveals a sleek, futuristic device featuring polished silver-toned metallic components and a vibrant, translucent blue liquid chamber. White, frothy foam overflows from the top and sides of the blue liquid, which is visibly agitated with numerous small bubbles, suggesting a dynamic process

Parameters

  • Total Capital Loss → $9 Million (Total assets drained from the affected yETH stableswap and Curve pools )
  • Vulnerability Type → Infinite Mint Logic Flaw (A bug in the custom token contract’s internal supply calculation )
  • Exploited Asset Quantity → 235 Trillion yETH (The number of fake tokens minted by the threat actor )
  • Affected Contracts → Legacy yETH Stableswap Pool (The older contract implementation, not the V2/V3 vaults )
  • Stolen Assets → ETH and Liquid Staking Tokens (The primary assets removed from the liquidity pools )

A transparent, contoured housing holds a dynamic, swirling blue liquid, with a precision-machined metallic cylindrical component embedded within. The translucent material reveals intricate internal fluid pathways, suggesting advanced engineering and material science

Outlook

Immediate mitigation requires the definitive deprecation and de-risking of all legacy contracts with non-standard logic, even those considered non-core to the protocol’s current operations. This exploit will likely establish a new security best practice mandating a zero-tolerance policy for custom token minting logic in high-value pools, driving a shift toward standardized, battle-tested token interfaces. Second-order effects include increased scrutiny on all Liquid Staking Token (LST) derivatives and their integration into complex DeFi primitives across the ecosystem.

A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape

Verdict

This exploit confirms that code-level logic flaws in legacy DeFi infrastructure remain the single greatest systemic risk to deposited capital, irrespective of a protocol’s current security maturity.

token minting logic, smart contract logic, liquid staking derivatives, decentralized finance protocol, asset management vault, yield aggregation mechanism, stablecoin swap pool, ethereum virtual machine, on-chain transaction analysis, governance token security, liquidity provision risk, impermanent loss mitigation, protocol treasury management, auditing standards enforcement, multi-asset pool design Signal Acquired from → forklog.com

Micro Crypto News Feeds

decentralized finance

Definition ∞ Decentralized finance, often abbreviated as DeFi, is a system of financial services built on blockchain technology that operates without central intermediaries.

liquid staking derivatives

Definition ∞ Liquid Staking Derivatives (LSDs) are tokenized representations of staked cryptocurrencies, allowing users to retain liquidity while participating in proof-of-stake network validation.

token supply

Definition ∞ Token Supply refers to the total quantity of a specific cryptocurrency or digital asset in existence at any given time.

capital loss

Definition ∞ Capital loss occurs when a digital asset is sold for less than its acquisition price.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

threat actor

Definition ∞ A threat actor is an individual or group that poses a risk to information systems and data security.

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

liquid staking tokens

Definition ∞ Liquid staking tokens are derivative digital assets that represent staked cryptocurrency, allowing users to retain liquidity while participating in Proof of Stake consensus.

liquid staking

Definition ∞ Liquid Staking is a DeFi mechanism that allows users to stake their cryptocurrency holdings while retaining liquidity.

systemic risk

Definition ∞ Systemic risk refers to the danger that the failure of one component within a financial system could trigger a cascade of failures across the entire network.

Tags:

Tags: