The incident, which occurred during a token conversion process on the decentralized exchange CowSwap, led to a significant drop in the protocol’s treasury balance.
Multisignature script error depletes Yearn’s treasury
Yearn contributor “dudesahn” revealed on GitHub that a faulty multisig script had triggered a swap of Yearn’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens.
These tokens were originally part of Yearn’s liquidity pool and had been earned from performance fees on vault harvests. The script error occurred while Yearn was in the process of converting its yVault LP-yCurve (lp-yCRVv2) tokens into stablecoins on CowSwap.
As a result of the error, Yearn received 779,958 DAI yVault (yvDAI) tokens from the trade. This conversion led to a 63% decrease in the liquidity pool value from its treasury, as compared to the spot price of lp-yCRVv2 tokens at the time.
Yearn confirmed the $1.4 million loss caused by this scripting error. However, it’s important to note that the affected tokens were “strictly protocol-owned liquidity”, and customer funds were not impacted by the incident.
Yearn’s request to arbitrage traders
Recognizing the critical role of these tokens in Yearn’s yCRV liquidity, the protocol is requesting arbitrage traders who may have profited from the situation. Yearn has appealed to these traders to consider returning a portion of the gains they obtained as a result of the multisig script error.
In a statement, Yearn stated, that they are asking anyone who profitably arbed this mistake to return an amount that they feel is reasonable to Yearn’s main multisig. This move demonstrates Yearn’s commitment to addressing the situation and recovering the lost funds.
An Arbitrage trader’s response
One arbitrage trader has already taken the initiative to return a portion of their profits to Yearn’s treasury. This trader transferred 2 Ether (ETH), equivalent to $4,500, back to Yearn’s treasury address, as confirmed on Etherscan.
This gesture exemplifies the collaborative spirit within the DeFi community, where participants are willing to contribute to the stability and integrity of the ecosystem.
Preventing future errors
To prevent similar errors from occurring in the future, Yearn has outlined several measures it plans to implement. These measures include:
Separating Protocol-Owned Liquidity: Yearn will create specific manager contracts to manage protocol-owned liquidity separately. This separation aims to mitigate the risk of large-scale errors affecting the entire treasury.
Human-Readable Output Messages: The protocol will implement human-readable output messages to provide more transparency and clarity during transactions and smart contract interactions. This will make it easier to identify and address issues promptly.
Stricter Price Impact Thresholds: Yearn will enforce stricter price impact thresholds to limit the potential impact of trading errors on the protocol’s assets. These thresholds will serve as a safeguard against significant losses due to unexpected price movements.
Yearn’s history with exploits
This is not the first time Yearn. Finance has faced a significant security incident. On April 11th, the protocol fell victim to an $11.6 million exploit, during which a hacker managed to mint an astonishing one quadrillion Yearn Tether (yUSDT) tokens. The attacker subsequently traded these tokens for other stablecoins, causing substantial financial damage to the platform.
These past experiences have likely contributed to Yearn’s proactive approach to addressing and rectifying errors promptly, as evidenced by its response to the recent multisignature script error.