Yearn Finance loses $1.4 million due to a transaction error

As a result of an ‘erroneous scenario’ multisig-transaction, the DeFi protocol Yearn Finance lost 63% of its treasury funds in the yCRV LP pool.

According to the message, the incident occurred during the ‘regular process of converting fee tokens’ and led to the exchange of 3,794,894 yCRV for 779,958 yvDAI. In a comment for The Block, the team clarified that losses amounted to $1.4 million.

The yCRV liquidity-staking token is presented in the protocol’s pool as Curve’s CRV coin. The project allocates funds to support liquidity and earns revenue in the form of fees.

However, due to a glitch in the exchange script for swaps on the DEX CoW Swap, all treasury funds were sent to one of the protocol’s largest pools. The trade triggered significant price slippage, which was exploited by arbitrageurs and other market participants.

“Given that these tokens are crucial to Yearn’s yCRV liquidity, we urge everyone who benefited from this error to return the amount they deem reasonable,” the team wrote.

The developers explained that the erroneous transfer of the entire Yearn Finance balance in the pool was one of 30 orders executed via the multisig transaction. This hindered manual oversight, and the fee-swap script ‘lacked sufficient withdrawal checks and contained a logical error’ in the swap size limit.

To prevent similar incidents, Yearn Finance adopted a series of safeguards, including:

• dividing treasury funds in the pool into contracts with separate managers;
• implementation of more readable exit messages in trading scripts;
• tightening price-impact thresholds.

In April, an attacker drained crypto assets worth $11.6 million from the protocol via an exploit in the yUSDT stablecoin contract. The asset is the analogue of the ‘stablecoin’ from Tether.