Decentralized finance protocol Yearn.finance is urging arbitrage traders to return $1.4 million after a multisignature scripting error drained its treasury. On December 11, Yearn contributor “dudesahn” revealed the error on GitHub, stating that the faulty script caused the protocol’s treasury to swap 3,794,894 lp-yCRVv2 tokens.
“A faulty multisig script caused Yearn’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens to be swapped,” “dudesahn.”
How the Error Occurred
The incident occurred while Yearn was converting its yVault LP-yCurve tokens into stablecoins on CowSwap. The faulty multisignature script caused Yearn’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens to be swapped. This resulted in significant slippage, with Yearn receiving 779,958 DAI yVault tokens and experiencing a 63% drop in liquidity pool value relative to lp-yCRVv2’s spot price at the time.
Yearn confirmed the $1.4 million loss in a note to The Block, emphasizing that the affected tokens were strictly protocol-owned and customer funds were not impacted. Despite the loss, Yearn has reassured its users that their funds are safe.
Yearn’s Recovery Efforts
To mitigate the loss, Yearn has requested arbitrage traders who profited from the error to return a reasonable amount of funds to Yearn’s main multisig wallet. The protocol has even written on-chain messages to some of the traders, asking for the return of the funds.
One arbitrage trader has already transferred 2 Ether (ETH) worth $4,500 back to Yearn’s treasury. The trader included a message stating, “Sorry to hear that lads, happens to the best of us. Didn’t profit that bigly like some others did, and we did take on some risk and helped the peg, but here’s some back anyway.”
To prevent similar mistakes in the future, Yearn plans to separate protocol-owned liquidity into specific manager contracts, implement human-readable output messages, and enforce stricter price impact thresholds.
This incident is not the first time Yearn has faced security challenges. On April 11, Yearn fell victim to an $11.6 million exploit when a hacker managed to mint one quadrillion Yearn Tether (yUSDT) tokens and trade them for other stablecoins. Despite these setbacks, Yearn remains committed to improving its security measures and safeguarding its protocol-owned liquidity.
Community Response and Future Steps
The Yearn community has shown resilience in the face of these challenges. The protocol’s proactive approach to addressing the scripting error and engaging with the community has been commendable. Moving forward, Yearn aims to implement additional safeguards to prevent such incidents and ensure the integrity of its treasury.
Yearn.finance’s dedication to transparency and security continues to strengthen its position in the decentralized finance space. As the protocol works to recover the lost funds and improve its systems, the broader DeFi community watches closely, hopeful that such incidents will become less frequent in the evolving landscape of decentralized finance.
Leave a Reply