A Yearn contributor said the value lost came from “strictly protocol owned liquidity” in the protocol’s treasury and that customer funds weren’t impacted.
179 Total views
1 Total shares
Decentralized finance protocol Yearn.finance is hoping arbitrage traders will return $1.4 million in funds after a multisignature scripting error, resulting in a large amount of the protocol’s treasury being drained.
“A faulty multisig script caused Yearn’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens to be swapped,” according to a Dec. 11 GitHub post by Yearn contributor “dudesahn.”
The error occurred while Yearn was converting its yVault LP-yCurve (lp-yCRVv2) — earned from performance fees on vault harvests — into stablecoins on decentralized exchange CowSwap.
$1.4M WIPED OUT
Yearn Finance stated that their treasury fund lost around $1.4M due to a faulty script
Later on, their team claimed that only their LP position was affected, no user’s funds were targeted pic.twitter.com/4FNXN8DAYp
— De.Fi Antivirus Web3 ️ (@DeDotFiSecurity) December 13, 2023
Yearn suffered significant slippage when it received 779,958 DAI yVault (yvDAI) tokens from the trade, resulting in a 63% fall in liquidity pool value from its treasury — relative to lp-yCRVv2’s spot price at the time.
Yearn confirmed the $1.4 million figure in a note to The Block.
However, Dudesahn said the affected tokens were “strictly protocol-owned liquidity” in Yearn’s treasury and that customer funds weren’t impacted.
Given how “critical” these tokens are to Yearn’s yCRV liquidity, the firm has asked any successful arb traders that profited from the event to consider sending some of the funds back:
“We are asking anyone who profitably arbed this mistake to return an amount that they feel is reasonable to Yearn’s main multisig.”
Yearn took its recovery efforts one step further, writing on-chain messages to some of the traders.
Related: Yearn.finance token tumbles 43%, community speculates on exit scam
One arbitrager has already transferred 2 Ether (ETH), worth $4,500, back to Yearn’s treasury address, according to Etherscan. “Sorry to hear that lads, happens to the best of us. Didn’t profit that bigly like some others did, and we did take on some risk and helped the peg, but here’s some back anyway,” they added in an on-chain message.
To prevent similar mistakes in the future, Yearn said it will separate protocol-owned liquidity into specific manager contracts, implement human-readable output messages and enforce stricter price impact thresholds.
Yearn fell victim to an $11.6 million exploit on April 11 after the hacker managed to mint one quadrillion Yearn Tether (yUSDT) tokens and trade it for other stablecoins.
Magazine: US enforcement agencies are turning up the heat on crypto-related crime
