Yearn.finance, a prominent DeFi protocol, suffered a 60% loss on a position in its treasury due to a flawed multisig script. The project is currently reaching out to arbitrageurs who profited from this error, requesting the return of funds. The team assured users that funds remain unaffected. Prior to any reimbursements, the losses amounted to $1.4 million, approximately 2.9% of the platform's total treasury.

💡
Yearn focuses on optimizing yields for crypto asset holders. Users can enhance their earnings from lending and trading via this platform. Yearn automatically transfers user funds across different DeFi protocols to secure the most favorable yields. This innovative strategy in automated investments has established this protocol as a significant entity in the DeFi ecosystem, boasting a TVL of over $346 million.

Banteg, the lead developer at Yearn, detailed the incident on GitHub. He explained that a faulty multisig script had led to the unintended sale of Yearn-owned yCRV liquidity. Instead of selling only the earned fees, the entire balance of 3,794,894 lp-yCRVv2 tokens was swapped. These tokens, valued at $2,258,668, were sold for only $841,693, resulting in a 63% slippage and a realized loss of $1,416,975.

Banteg notes that approximately 25 users, from sophisticated MEV bots to regular traders who inadvertently gained an advantage, profited from the error. Consequently, it is too early to determine the total amount recovered.

The team is now attempting to contact the ‘lucky traders’. However, so far, only one arbitrageur has returned funds, amounting to 2 ETH.

In reaction to the loss, the protocol is planning to implement new rules. These include the incorporation of more human-readable output messages in trading scripts and the enforcement of stricter price impact thresholds.

This is not the first security incident Yearn has faced this year. On April 13, the protocol suffered an attack due to a misconfiguration in the yUSDT vault. The attackers managed to steal around $11.54 million. The vulnerability was caused by a bug in one of the project’s old contracts. 

Furthermore, in 2021, the protocol experienced a hack resulting in a loss of $11 million. In this incident, the attacker used flash loans to exploit a misconfigured vault in the protocol.

Despite these incidents, the protocol continues to operate successfully and maintains a substantial TVL.

The most recent incident has not significantly affected the price of Yearn’s token, YFI. It is trading at about $8,300, with a market capitalization of $279 million.

Share this article
The link has been copied!