Decentralized finance protocol Yearn.finance is hoping an arbitrage trader will return $1.4 million in funds after a multi-signature scripting error, depleting a significant portion of the protocol’s funds.
“An incorrect multisig script led to the exchange of 3,794,894 lp-yCRVv2 tokens, Yearn’s entire treasury balance,” Yearn contributor “dudesahn” said in a Dec. 11 GitHub post.
An error occurred while converting yVault LP-yCurve (lp-yCRVv2), which Yearn earned as a performance fee for vault harvesting, to a stablecoin on decentralized exchange CowSwap.
$1.4 million loss
Yearn Finance said the faulty script caused its treasury fund to lose about $1.4 million.
Their team later claimed that only LP positions were affected and users’ funds were not targeted. pic.twitter.com/4FNXN8DAYp
— De.Fi Antivirus Web3️ (@DeDotFiSecurity) December 13, 2023
Yearn suffered a significant drawdown when he received 779,958 DAI yVault (yvDAI) tokens in the transaction, resulting in a 63% reduction in the value of the Treasury’s liquidity pool compared to the spot price of lp-yCRVv2 at the time.
Yearn confirmed the $1.4 million figure in a note to The Block.
However, Dudesahn said the affected tokens were “strictly protocol-owned liquidity” from Yearn’s Treasury and that customer funds were not affected.
Given how “critical” these tokens were to Yearn’s yCRV liquidity, the company asked that it consider returning some of the funds to successful arbitrageurs who profited from the event.
“We are asking anyone who may have benefited from this mistake to return whatever amount they consider reasonable to Yearn’s main multi-sig.”
Yearn took the recovery effort a step further by writing an on-chain message to some traders.
Related: Yearn.finance token plummets by 43%, community speculates exit fraud
According to Etherscan, one arbitrageur has already transferred $4,500 worth of 2 Ether (ETH) back to Yearn’s Treasury address. “I’m sorry to hear that news. This happens to all of us. We didn’t make as big of a profit as others, we took some risks and helped the peg, but some came back here anyway,” they added in an on-chain message.
To prevent similar mistakes in the future, Yearn said he would separate protocol-owned liquidity into specific custodian contracts, implement human-readable output messages, and enforce stricter price impact thresholds.
Yearn suffered an $11.6 million attack on April 11 after hackers minted 1 trillion Yearn Tether (yUSDT) tokens and exchanged them for other stablecoins.
magazine: U.S. enforcement agencies are stepping up their game against cryptocurrency-related crimes.