Decentralized finance protocol Yearn Finance suffered a costly setback this week when a technical scripting error resulted in $1.4 million being drained from the protocol’s treasury.
The incident occurred on December 11th during a routine process to convert Yearn’s yVault LP tokens into stablecoins through a swap on decentralized exchange CowSwap.
Keypoints
- A faulty multisignature script caused Yearn Finance’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens to be swapped, resulting in a $1.4 million loss.
- The error occurred while Yearn was converting LP tokens into stablecoins on CowSwap. Significant slippage resulted in a 63% drop in liquidity pool value.
- The affected funds were strictly protocol-owned liquidity from Yearn’s treasury. No user funds were impacted.
- Yearn has asked any arbitrage traders who profited from the mishap to voluntarily return a reasonable portion of the funds back to Yearn’s treasury.
- At least one trader has already returned $4,500. Yearn aims to improve security measures to prevent similar incidents in the future.
A contributor from Yearn explained that a faulty multisignature script generated insufficient output checks and caps for the trade size, causing Yearn’s entire balance of 3,794,894 lp-yCRVv2 tokens to be exchanged in one fell swoop. This giant swap size triggered massive slippage and shed approximately 63% of value relative to the lp-yCRVv2 token’s spot price.
While the dollar amount lost was significant, Yearn confirmed that only protocol-owned liquidity was affected rather than user funds. “A faulty multisig script caused Yearn’s entire treasury balance…to be swapped,” the contributor wrote on GitHub. “Given that these tokens are critical to Yearn’s yCRV liquidity, we are asking anyone who profitably arbed this mistake to return an amount that they feel is reasonable to Yearn’s main multisig.”
In the aftermath of the coding error, some opportunistic arbitrage traders noticed the severe slippage and stepped in to acquire the tokens at a steep discount, quickly profiting from the market discrepancy. Yearn has directly appealed to these traders to support the protocol’s recovery by voluntarily returning some of their gains.
???? $1.4M WIPED OUT ????
Yearn Finance stated that their treasury fund lost around $1.4M due to a faulty script
Later on, their team claimed that only their LP position was affected, no user’s funds were targeted pic.twitter.com/4FNXN8DAYp
— De.Fi Antivirus Web3 ????️ (@DeDotFiSecurity) December 13, 2023
So far at least one trader has heeded the call, sending 2 Ether (worth approximately $4,500) back to replenish Yearn’s treasury. “Sorry to hear that lads, happens to the best of us,” they wrote in an on-chain message. “Didn’t profit that bigly like some others did, and we did take on some risk and helped the peg, but here’s some back anyway.”
While Yearn attempts to recover the funds, the team is also implementing updated security practices to avoid similar incidents in the future. Some of the key changes include separating protocol liquidity into distinct manager contracts, enforcing readable automated messaging, and instituting stricter slippage limits on large transactions.
Despite this costly setback caused by a coding vulnerability, Yearn Finance maintains extremely high credibility and usage within decentralized finance. The protocol boasts over $700 million in total value locked last year across its yield-generating lending products.