Yearn.finance, a decentralized finance protocol, faced a setback when a scripting error led to a $1.4 million drainage from its treasury. The incident resulted in a significant fall in the protocol's liquidity pool value.
The error occurred during a process converting yVault LP-yCurve tokens into stablecoins on CowSwap, causing a 63% decline in liquidity pool value. Yearn's contributor confirmed the issue, specifying that the affected funds were from the protocol's treasury and not customer funds.
During a regular fee token conversion process on behalf of Yearn's treasury, a faulty multisig script caused Yearn's entire treasury balance of 3,794,894 lp-yCRVv2 tokens to be swapped. This amount was strictly protocol owned liquidity (POL) belonging to Yearn's treasury and does not contain any user funds. This amount comprised a large portion of the Curve pool, and therefore incurred significant slippage which arbed back to the normal price by the market shortly after, according to a disclosure post on Github.
Acknowledging the impact on their yCRV liquidity, Yearn urged arbitrage traders who benefited from the incident to consider returning some profits to its main multisignature address. The protocol took additional steps, such as on-chain messages and recovery initiatives, encouraging the return of funds.
To avoid similar errors, Yearn announced plans to segregate protocol-owned liquidity, introduce human-readable output messages, and enforce stricter price impact thresholds.
This isn't the first time Yearn.finance faced a significant loss, as an $11.6 million exploit occurred earlier in April, resulting in a massive minting of Yearn Tether tokens by a hacker.