Key Takeaways
- A flawed multi-signature script caused 63% of Yearn’s treasury to be mistakenly swapped
- As per Yearn. Finance, the affected tokens were strictly protocol-owned liquidity
In a recent setback for decentralized finance (DeFi) stalwart Yearn.finance, a scripting error has led to a loss of $1.4 million from its treasury.
Earlier this week, a flawed multisignature script caused a substantial portion—63%—of Yearn’s treasury to be mistakenly swapped, prompting the platform to seek the cooperation of arbitrage traders who may have profited from the error to consider returning a reasonable portion of the funds.
In a multisig transaction, at least two signatures are required to approve a transaction. Multi-signature involves the necessity of multiple keys to validate a Bitcoin transaction, as opposed to relying on a single signature from a sole key. This method finds utility across various applications.
The scripting glitch unfolded during the conversion of Yearn’s yVault LP-yCurve (lp-yCRVv2) tokens—earned from performance fees—into stablecoins on the decentralized exchange CowSwap.
Oversight in handling treasury funds resulted in the inadvertent transfer of the entire treasury balance, including fees, to a trading multisignature. This triggered over 30 trade orders, including a critical swap that led to the unintended large-scale transaction.
While Yearn.finance confirmed the $1.4 million loss, it emphasized that the affected tokens were strictly protocol-owned liquidity, ensuring that customer funds remained unaffected. The scripting error caused significant slippage, resulting in a 63% fall in the liquidity pool value from the treasury relative to lp-yCRVv2’s spot price at the time.
The platform is now encouraging arbitrage traders who may have profited from the scripting error to consider returning a reasonable amount to Yearn’s main multisignature. Recovery efforts include on-chain messages, with one arbitrager already returning 2 Ether (ETH), equivalent to $4,500, expressing empathy for the situation.
This incident recalls a similar event in April this year when a hacker exploited Yearn.finance, minting over 1 quadrillion Yearn Tether (yUSDT) from a $10,000 investment in the latest DeFi exploit. Despite the setback, Yearn.finance remains resilient, actively addressing vulnerabilities and fortifying its security measures.
To prevent similar errors in the future, the platform plans to separate protocol-owned liquidity into specific manager contracts, introduce human-readable output messages, and enforce stricter price impact thresholds.
