Yearn Finance Hit by 63% Treasury Loss Due to Script Glitch

In a significant setback for Yearn Finance, a leading player in the decentralized finance (DeFi) sector, a script malfunction in its multisig (multi-signature) system led to a substantial loss of its treasury assets. The incident on December 11 resulted in the unintended swap of Yearn’s treasury balance, amounting to a loss of approximately 63%.

The company confirmed that the loss affected only the treasury funds and did not impact customer funds. The mishap involved the accidental exchange of 3,794,894 lp-yCRVv2 tokens from Yearn’s treasury. This transaction, executed on CoW Swap, led to significant market slippage due to the large volume involved, further exacerbating the loss.

Yearn Finance Treasury Error Triggers Huge Loss

The event unfolded as a result of multiple oversights in handling the treasury funds. Yearn’s statement explained that the entire treasury balance, including fees, was mistakenly transferred to a trading multisig, initiating over 30 trade orders. Among these was the critical swap of the treasury balance.

This transaction’s complexity and high volume of trades hindered effective human review, allowing the error to pass unnoticed. The protocol identified that the script used for token swapping lacked adequate output checks and contained a logical flaw. This flaw failed to cap the trade size, leading to the unintended large-scale transaction.

New Safety Steps at Yearn Post Loss

Yearn Finance has implemented several measures to prevent a recurrence in response to this incident. The protocol plans to segregate protocol-owned liquidity (POL) funds into separate entities and enhance its trading scripts to produce more comprehensible output messages. Additionally, it will enforce stricter price impact thresholds during trades.

This incident is not the first security challenge Yearn has faced. Earlier in the year, the protocol was the target of an attack where a vulnerability in a Yearn vault was exploited, resulting in the theft of approximately $11 million in stablecoins. The attacker utilized a small amount of tether (USDT) to mint a vast quantity of yUSDT. This Yearn-equivalent token was exchanged for stablecoins, culminating in a significant financial loss for the protocol.

Yearn Finance has reached out to the community, appealing to those who profited from arbitraging the mistake to return a reasonable amount to Yearn’s main multisig wallet, ychad.eth. This appeal highlights the collaborative and self-regulating nature of the DeFi community.

Read Also: FASB Introduces Fair-Value Crypto Accounting Standards