Yearn Finance says faulty script wiped out $1.4 million from treasury

(Yearn Finance corrects statement to show that incident affected 63% of Yearn's own LP position in Lp yCRV.)

Yield-farming protocol Yearn Finance said a faulty multisig script wiped out 63% of a position in its treasury. No user funds were affected. 

The incident took place during a "regular fee token conversion process on behalf of Yearn's treasury," according to a disclosure post on Github. The faulty script caused of 3,794,894 lp-yCRVv2 tokens to be swapped for 779,958 yvDAI tokens.

"The entire treasury balance of lp-yCRVv2 (POL, plus fees) was mistakenly transferred to the trading multisig, when only expected a much smaller fees portion. The script used by the trading multisig to swap tokens lacked sufficient output checks and contained a logical error that would have capped the trade size to a reasonable amount,” the post stated.

The trade led to significant price slippage, "which arbed back to the normal price by the market shortly after," the protocol team wrote, asking any users that profited from the price movement caused by the incident "to return an amount that they feel is reasonable to Yearn's main multisig."

Losses totaled $1.4 million prior to any returned funds, or around 2% of the entire treasury, Yearn told The Block.

"We are expecting some returned funds, there are communication channels open," a spokesperson said. 

Steps to come

To prevent such incidents in the future, the protocol developers plan to "separate POL funds into dedicated manager contracts, introduce more human-readable output messages on trading scripts and enforce stricter price impact thresholds," the post stated.

Earlier this year, an exploit involving an early Yearn version, called iearn, caused damages of $11.6 million, according to PeckShield. In February, an exploit resulted in the loss of $11 million worth of crypto from one of its vaults.