Decentralized finance (DeFi) protocol Yearn. Finance grapples with a setback, urging arbitrage traders to return $1.4 million in funds following a multi-signature scripting error. The treasury balance of 3,794,894 lp-yCRVv2 tokens was inadvertently swapped due to a flawed multisig script, as outlined in a GitHub post on December 11 by Yearn contributor “dudesahn.”
The mishap occurred during Yearn’s conversion of yVault LP-yCurve (lp-yCRVv2) tokens, earned from performance fees on vault harvests, into stablecoins on the decentralized exchange CowSwap. The protocol experienced significant slippage, resulting in a 63% drop in liquidity pool value from its treasury concerning lp-yCRVv2’s spot price at the time upon receiving 779,958 DAI yVault (yvDAI) tokens from the trade.
🚨 $1.4M WIPED OUT 🚨
Yearn Finance stated that their treasury fund lost around $1.4M due to a faulty script
Later on, their team claimed that only their LP position was affected, no user's funds were targeted pic.twitter.com/4FNXN8DAYp
— De.Fi Antivirus Web3 🛡️ (@DeDotFiSecurity) December 13, 2023
Verifying the $1.4 million loss, Yearn acknowledges the figure but assures users that it only affected “protocol-owned liquidity” in the treasury, with no impact on customer funds.
Facing the situation’s gravity, Yearn calls upon arbitrage traders who profited from the incident to voluntarily return a portion of the funds to Yearn’s main multisig. Dudesahn emphasized the critical nature of these tokens to Yearn’s yCRV liquidity.
Trader Returns $4,500, Yearn Enhances Protocol
To expedite recovery, Yearn has engaged directly with traders through on-chain messages. Notably, one arbitrageur has already demonstrated goodwill by returning 2 Ether (ETH), equivalent to $4,500, to Yearn’s treasury address. In an accompanying on-chain message, the trader empathized with the situation and acknowledged the risks taken.
Moreover, YFI is implementing measures, including separating protocol-owned liquidity into specific manager contracts and introducing human-readable output messages. Additionally, YFI is enforcing stricter price impact thresholds to prevent future errors.
This incident adds to Yearn’s challenges following an $11.6 million exploit on April 11. During that event, a hacker managed to mint one quadrillion YFI Tether (yUSDT) tokens and traded them for other stablecoins. Despite these setbacks, Yearn remains committed to fortifying its decentralized finance ecosystem. The project actively seeks the collaboration of the community in addressing vulnerabilities.
Related Reading | Trump Unveils ‘MugShot’ NFT Collection Amid Legal Storm