Decentralized finance protocol Yearn Finance suffered major losses this week when a technical scripting error led to $1.4 million being drained from the protocol’s treasury.
The incident occurred on December 11 during the routine process of converting Yearn’s yVault LP tokens to stablecoins via a swap on decentralized exchange CowSwap.
key point
- An incorrect multi-signature script resulted in Yearn Finance’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens being exchanged, resulting in a loss of $1.4 million.
- An error occurred while Yearn was converting LP tokens to stablecoins on CowSwap. The significant decline resulted in a 63% drop in the value of the liquidity pool.
- The funds affected were protocol-owned liquidity from the Yearn Treasury. User funds were not affected.
- Yearn has asked all arbitrageurs who profited from the incident to voluntarily return a reasonable portion of their funds to Yearn’s treasury.
- At least one trader has already returned $4,500. Yearn aims to strengthen its security measures to prevent similar incidents from occurring in the future.
A contributor from Yearn explained that due to a faulty multi-signature script, there were insufficient output confirmations and limits on transaction size, resulting in Yearn’s entire balance of 3,794,894 lp-yCRVv2 tokens being exchanged in one go. This huge swap size caused massive slippage and reduced the value of the lp-yCRVv2 token by about 63% compared to its spot price.
Although the dollar amount lost was significant, Yearn confirmed that only protocol-owned liquidity was affected, not user funds. “Yearn’s entire financial balance was replaced due to an incorrect multisig script.” A contributor wrote on GitHub: “Given that these tokens are critical to Yearn’s yCRV liquidity, we are asking anyone who profits from this mistake to return an amount they deem reasonable to Yearn’s native multisig.”
In the aftermath of the coding error, some opportunistic arbitrage traders noticed a significant downtrend and stepped in to acquire tokens at steep discounts, quickly profiting from the market discrepancy. Yearn directly appealed to these traders to support the recovery of the protocol by voluntarily returning some of their profits.
???? 1.4 million dollars gone ????
Yearn Finance said the faulty script caused its treasury fund to lose about $1.4 million.
Their team later claimed that only LP positions were affected and users’ funds were not targeted. pic.twitter.com/4FNXN8DAYp
— De.Fi Antivirus Web3 ????️ (@DeDotFiSecurity) December 13, 2023
So far, at least one trader has heeded this request and sent back 2 Ether (worth about $4,500) to replenish Yearn’s treasury. “We are sorry to hear that this happened to us,” they wrote in an on-chain message. “It didn’t make as much of a profit as others and we took some risks and helped Peg, but some of it came back here anyway.”
While Yearn attempts to recover the funds, the team is also implementing updated security practices to prevent similar incidents in the future. Some of the key changes include separating protocol liquidity into separate custodian contracts, enforcing readable automated messages, and introducing stricter slippage limits for large trades.
Despite these costly losses due to coding vulnerabilities, Yearn Finance maintains very high reliability and usability within decentralized finance. The protocol boasts over $700 million in total value locked last year across its yield-generating lending products.