Yearn Finance says faulty script wiped out $1.4 million from treasury

Quick Take

  • Yearn Finance said a faulty script wiped out 63% of a position in its treasury, but user funds were not affected.
  • Yearn is asking users who profited from the bug to return a “reasonable” amount to the protocol’s multisig.

(Yearn Finance corrects statement to show that incident affected 63% of Yearn's own LP position in Lp yCRV.)

Yield-farming protocol Yearn Finance said a faulty multisig script wiped out 63% of a position in its treasury. No user funds were affected. 

The incident took place during a "regular fee token conversion process on behalf of Yearn's treasury," according to a disclosure post on Github. The faulty script caused of 3,794,894 lp-yCRVv2 tokens to be swapped for 779,958 yvDAI tokens.

"The entire treasury balance of lp-yCRVv2 (POL, plus fees) was mistakenly transferred to the trading multisig, when only expected a much smaller fees portion. The script used by the trading multisig to swap tokens lacked sufficient output checks and contained a logical error that would have capped the trade size to a reasonable amount,” the post stated.

The trade led to significant price slippage, "which arbed back to the normal price by the market shortly after," the protocol team wrote, asking any users that profited from the price movement caused by the incident "to return an amount that they feel is reasonable to Yearn's main multisig."

Losses totaled $1.4 million prior to any returned funds, or around 2% of the entire treasury, Yearn told The Block.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

"We are expecting some returned funds, there are communication channels open," a spokesperson said. 

Steps to come

To prevent such incidents in the future, the protocol developers plan to "separate POL funds into dedicated manager contracts, introduce more human-readable output messages on trading scripts and enforce stricter price impact thresholds," the post stated.

Earlier this year, an exploit involving an early Yearn version, called iearn, caused damages of $11.6 million, according to PeckShield. In February, an exploit resulted in the loss of $11 million worth of crypto from one of its vaults.


Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Anna is a senior policy reporter at The Block. She has a background in political journalism and covered Russian civil society for a range of news outlets in Moscow, including the award-winning newspaper Novaya Gazeta. Before joining The Block, Anna spent the past five years investigating cryptocurrency policies and adoption around the world at CoinDesk. Anna owns bitcoin and a gift NFT of sentimental value.

Editor

To contact the editor of this story:
Nathan Crooks at
[email protected]