Yearn asks for money back after it accidentally loses part of its treasury

The incident happened after a “faulty multisig script” swapped Yearn’s entire treasury balance

article-image

Andre Cronje/Shutterstock modified by Blockworks

share

Updated Dec. 13, 2023 at 1:33 pm ET: Modified headline and context following Yearn clarification.

Thanks to a script error, Yearn lost part of its treasury.

While it initially posted that it lost 63% of the treasury, it corrected its GitHub post to say that it lost “63% of the LP value.” The clarification was made Wednesday after Blockworks published the initial figures.

“When factoring in the 779,958 yvDAI tokens received from this trade, the total loss experienced by Yearn’s treasury comes out to about 63%,” the post said initially.

This loss occurred when a malfunction in a multisig (multi-signature) script led to the unintended swap of Yearn’s treasury balance.

The company clarified that the funds were strictly from Yearn’s treasury, and not from any customer funds.

According to a post, a “faulty multisig script caused Yearn’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens to be swapped.” The incident happened on Dec. 11. 

“This amount comprised a large portion of the Curve pool, and therefore incurred significant slippage which arbed back to the normal price by the market shortly after,” Yearn wrote.

“When factoring in the 779,958 yvDAI tokens received from this trade, the total loss experienced by Yearn’s treasury comes out to about 63%.”

The DeFi protocol is also asking “anyone who profitably arbed this mistake to return an amount that they feel is reasonable to Yearn’s main multisig ychad.eth.”

The post explained that multiple oversights led to the faulty transfer. The entire treasury balance, including fees, was transferred to the trading multisig, which sent the transaction to CoW Swap for 30 or so orders — including the one to swap the balance. 

Read more: Sorella and CoW Protocol have something in common: Making on-chain exchanges work better

The post said that the high volume of trades involved in this single transaction significantly complicated the process of human review, leading to the oversight not being caught in time.

“The script used by the trading multisig to swap tokens lacked sufficient output checks and contained a logical error that would have capped the trade size to a reasonable amount,” Yearn wrote.

The protocol put new checks in place to prevent the same error from happening again. These include segregating protocol-owned liquidity (POL) funds into separate entities, enhancing trading scripts with more human-readable output messages, and imposing “stricter price impact thresholds” during trades.

Earlier this year, Yearn was targeted in an attack. The attacker was able to make off with roughly $11 million in stablecoins. 

The attack happened when a vulnerability in a Yearn vault was exploited, allowing the attacker to access tether (USDT) deposits.

Using 10,000 USDT, the attacker then minted 1.2 quadrillion yUSDT — the Yearn-equivalent token — and swapped them for stablecoins using Curve Finance to bag $11.6 million.


Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2023

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research Report Cover Vertex.jpg

Research

The proliferation of new perp DEXs has led to fragmented liquidity across various DEXs and chains. Vertex, known for its vertically-integrated DEX that includes spot, perpetual, and integrated money markets, is now tackling cross-chain liquidity fragmentation through horizontal integration with the launch of new Edge instances. Vertex's integrated offerings and cross-margined account structure amplify the benefits of new instances: native cross-chain spot trading, optimized cross-chain basis trading, consistent interest rates, reduced bridging friction, and more.

article-image

Partnering with EtherFi and Angle, the fully on-chain perp DEX features bespoke collateral

article-image

Sponsored

Gavin Wood introduced the next evolutionary step for the Polkadot network: the Join-Accumulate Machine, or JAM

article-image

The side events were the places to be at Consensus 2024, according to attendees

article-image

Also, who’s come out swinging in the spot ether ETF fee war — and who could undercut them

article-image

I know it is not in their nature, but US regulators could learn a lot by researching the digital asset frameworks that overseas regulators have already gotten right

article-image

Also, the ETF hype train can count out at least one member