Yearn Finance, a prominent player in the yield-farming sector, recently reported a critical error in its multi-signature (multisig) script. This error led to an unintended transfer and subsequent swap of a substantial portion of its treasury, resulting in a loss estimated at $1.4 million. This incident was disclosed in a post on GitHub.
During what was described as a routine fee token conversion for the treasury, a flawed script mistakenly swapped 3,794,894 lp-yCRVv2 tokens for 779,958 yvDAI tokens. The error stemmed from the entire treasury balance of lp-yCRVv2, including both Position of Liquidity (POL) and fees, being sent to a trading multisig. This transfer was far greater than the intended fees portion. The faulty script, lacking proper output checks and containing a logical flaw, failed to limit the trade size, leading to a significant price slippage.
Market impact and subsequent actions
The unexpected trade caused notable market disruptions, with the price quickly arbitraging back to normal levels. Yearn Finance appealed to users who profited from this price movement, asking them to return what they deemed reasonable to the protocol’s main multisig wallet. Before any such returns, the losses amount to approximately 2% of the entire treasury.
In response to this incident, Yearn Finance outlined several corrective measures. The team plans to segregate POL funds into dedicated manager contracts, enhance the readability of output messages in trading scripts, and impose stricter price impact thresholds. These steps aim to fortify the protocol against similar mishaps in the future.
Context of security challenges
This event is not the first security challenge Yearn Finance has faced. Earlier this year, an exploit targeting an early version of the protocol, known as iearn, led to losses of $11.6 million, as reported by PeckShield, a blockchain security firm. Additionally, in February, another exploit resulted in the theft of $11 million in cryptocurrencies from one of its vaults.
While not directly impacting user funds, the recent incident underscores the ongoing security and operational challenges in the decentralized finance (DeFi) space.
Yearn Finance’s proactive response and commitment to improving its systems demonstrate the protocol’s resilience and adaptability in the face of these challenges.