In a recent setback, DeFi protocol Yearn Finance witnessed a substantial depletion of $1.4 million from its treasury, all stemming from a malfunctioning multisig script. The incident unfolded during the conversion of yVault LP-yCurve tokens into stablecoins on CowSwap, with the affected tokens identified as “strictly protocol-owned liquidity.”
A GitHub post on December 11 revealed that a routine fee token conversion process on behalf of Yearn’s treasury went awry due to a flawed multisig script. This script led to the swapping of the entire treasury balance—3,794,894 lp-yCRVv2 tokens—for 779,958 yvDAI tokens. Notably, the script lacked sufficient output checks and contained a logical error, allowing the trade size to surpass reasonable limits.
🚨 $1.4M WIPED OUT 🚨
Yearn Finance stated that their treasury fund lost around $1.4M due to a faulty script
Later on, their team claimed that only their LP position was affected, no user's funds were targeted pic.twitter.com/4FNXN8DAYp
— De.Fi Antivirus Web3 🛡️ (@De_FiSecurity) December 13, 2023
The magnitude of tokens involved constituted a significant portion of the Curve pool, resulting in substantial slippage and a loss of approximately 63% of liquidity provider (LP) value. Web3 security firm http://De.Fi confirmed the total loss at $1.4 million at the time of reporting.
Yearn Finance emphasized that no user funds were compromised, clarifying that the impacted tokens belonged exclusively to the protocol’s treasury. Despite this assurance, arbitrage traders swiftly seized the opportunity to capitalize on the price discrepancy, prompting Yearn to appeal for a return of profits from those who exploited the mistake.
