The yield-farming protocol Yearn Finance encountered a significant setback due to a malfunction in its multisig script. The issue led to the unintended exchange of a substantial portion of its treasury assets. Specifically, 63% of Yearn Finance’s treasury, comprising 3,794,894 lp-yCRVv2 tokens, was erroneously swapped for 779,958 yvDAI tokens.
This incident occurred during a routine fee token conversion process intended for the treasury’s benefit. The malfunction resulted from a flawed script that incorrectly transferred the entire treasury balance of lp-yCRVv2, including principal-optimization-liquidity (POL) and accrued fees, to a trading multisig. This action was far beyond the intended scope, which was to transfer only a smaller portion related to fees.
Financial impact and market reaction
The repercussions of this error were immediate and significant. The large-scale trade executed by the script led to a notable price slippage. However, market mechanisms quickly corrected this deviation, bringing the prices back to normal shortly after the incident.
Yearn Finance reported a total loss of $1.4 million from this mishap, constituting approximately 2% of its entire treasury. The protocol has opened communication channels and is anticipating some funds to be returned by users who profited from the resulting price movements. They have appealed to these users to return an amount they deem reasonable to Yearn Finance’s main multisig.
Preventative measures and historical context
In response to this incident, Yearn Finance’s development team has outlined several steps to prevent future occurrences of similar errors. These include segregating POL funds into distinct manager contracts, enhancing the readability of output messages in trading scripts, and implementing stricter price impact thresholds.
This is not the first time Yearn Finance has faced security challenges. Earlier this year, an exploit in an early version of the protocol, known as iearn, led to a loss of $11.6 million, as reported by security firm PeckShield. Additionally, in February, an exploit resulted in the loss of $11 million worth of cryptocurrency from one of Yearn Finance’s vaults.
This series of events underscores the importance of robust security protocols and thorough testing in the rapidly evolving world of decentralized finance (DeFi). As Yearn Finance navigates through these challenges, the DeFi community remains vigilant, emphasizing the need for continuous improvement in security measures to safeguard assets and maintain user trust.