(Yearn Finance corrects the statement to show that the incident affected 63% of Yearn’s own LP position in Lp yCRV.)
Yield farming protocol Yearn Finance said a a faulty multisig script wiped out 63% of a treasury position. No user funds were affected.
The incident occurred during a “regular token conversion process on behalf of Yearn’s treasury,” according to a disclosure after on Github. The faulty script caused 3,794,894 lp-yCRVv2 tokens to be exchanged for 779,958 yvDAI tokens.
“The entire treasury balance of lp-yCRVv2 (POL, plus fees) was mistakenly transferred to the trading multisig, when only a much smaller portion of the fees was expected. The script used by the trading multisig to exchange tokens lacked sufficient execution controls and contained a logical error that would have limited the trade size to a reasonable amount,” the message said.
The trade led to a significant price drop, “which was returned to normal by the market shortly afterwards,” the protocol team wrote, asking all users who benefited from the price movement caused by the incident to “return an amount they believe it is valuable’. reasonable to Yearn’s premier multisig.”
The losses totaled $1.4 million before any money was returned, or about 2% of the entire treasury, Yearn told The Block.
“We expect some money back, communication channels are open,” a spokesperson said.
There are more steps to come
To prevent such incidents in the future, the protocol developers plan to “split POL funds into dedicated manager contracts, introduce more human-readable output messages on trading scripts, and enforce stricter price impact thresholds,” the release said.
Earlier this year, an exploit involving an early Yearn version called iearn caused $11.6 million in damage, according to PeckShield. In February, an exploit resulted in the loss of $11 million worth of crypto from one of the vaults.
