Yearn Finance Suffers 63% Treasury Loss Due to Faulty Script: No User Funds Impacted
In a recent turn of events, decentralized finance protocol Yearn Finance encountered a major setback as a faulty multisig script caused a substantial loss of 63% of its treasury’s position. This incident, detailed in a disclosure post on Github, occurred during a routine fee token conversion process on behalf of Yearn’s treasury.
The flaw in the script triggered the swap of the entire balance of 3,794,894 lp-yCRVv2 tokens, constituting strictly protocol owned liquidity (POL) within Yearn’s treasury. Notably, no user funds were implicated in this incident, as the affected amount solely belonged to Yearn’s internal liquidity.
The consequence of this script malfunction was significant slippage, resulting in the loss of approximately 63% of the LP value, valuing the lp-yCRVv2 tokens at the time of the trade.
The affected tokens, critical to Yearn’s yCRV liquidity, prompt a plea from Yearn Finance to those who may have lucratively profited from this mistake. They’ve requested a return of a reasonable amount to Yearn’s primary multisig ychad.eth, aiming to recuperate from the error.
This mishap is traced back to the inadvertent movement of the entire POL amount to the trading multisig, erroneously treated as fees. The transaction included multiple orders, among which was the swap of the entire lp-yCRVv2 balance, exacerbating the issue.
Two critical oversights compounded the problem:
- The mistaken transfer of the entire lp-yCRVv2 treasury balance instead of the anticipated smaller fees portion.
- Insufficient checks and a logical error within the trading multisig’s token swap script that should have limited the trade size.
Swift corrective action by arbitrage bots and market actors rectified the price deviation shortly after the erroneous swap.
To fortify against similar mishaps, Yearn Finance is implementing additional safeguards:
- Segregating POL funds into dedicated manager contracts.
- Improving readability of output messages on trading scripts.
- Enforcing stricter price impact thresholds.
The losses incurred by Yearn Finance before any returns totaled $1.4 million, representing approximately 2% of the entire treasury. This incident highlights the challenges and risks inherent in decentralized finance operations. Notably, Yearn Finance previously encountered vulnerabilities, such as the $11.6 million damage from an exploit in an early version and a $11 million loss resulting from an exploit in one of its vaults in February.
As Yearn Finance endeavors to fortify its security measures, the incident serves as a pivotal reminder of the ongoing need for robust risk management in the evolving landscape of decentralized finance.
- Hacker Had Drained All Liquidity Pools From Terraport Finance, Causing Losses Of $2 Million
- Are Arbitrum, Wintermute, Terra, FTX, And Alameda Related?
- Yearn Finance Suffers $11.6M Hack Through Aave V1 Protocol, Involving Misconfigured YUSDT Token