DeFi protocol Yearn Finance lost a large chunk of tokens from its treasury during an error that transpired when converting yVault LP-yCurve tokens into stablecoins on CowSwap.
In a GitHub post on Dec. 11, Yearn contributor dudesahn noted that a regular fee token conversion process on behalf of Yearn’s treasury had gone wrong due to a faulty multisig script.
The script caused Yearn’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens to be swapped for 779,958 yvDAI tokens. The script used by the trading multisig to swap tokens lacked sufficient output checks and contained a logical error that would have capped the trade size to a reasonable amount.
Seeing as the amount of tokens comprised a large portion of the Curve pool, it incurred significant slippage, where around 63% of liquidity provider (LP) value was lost.
Web3 security firm De.Fi noted that the total amount lost in the incident was $1.4 million at the time of writing – something that Yearn also confirmed to The Block in a statement shortly after,
🚨 $1.4M WIPED OUT 🚨
Yearn Finance stated that their treasury fund lost around $1.4M due to a faulty script
Later on, their team claimed that only their LP position was affected, no user's funds were targeted pic.twitter.com/4FNXN8DAYp
— De.Fi Antivirus Web3 🛡️ (@DeDotFiSecurity) December 13, 2023
Yearn noted that no user funds were compromised, and the affected tokens were “strictly protocol-owned liquidity” that belong to Yearn’s treasury.
Some arbitrage traders that noticed the slippage moved quickly to snap up the tokens and profit from the price discrepancy.
“Given that these tokens are critical to Yearn’s yCRV liquidity, we are asking anyone who profitably arbed this mistake to return an amount that they feel is reasonable to Yearn’s main multisig,” wrote the Yearn team.