How Yearn.finance’s Multisignature Mishap Led to a $1.4 Million Treasury Drain
Yearn.finance, a DeFi protocol, encountered a problem with a multisignature script that resulted in a significant portion of its treasury being drained, amounting to $1.4 million. This issue occurred during the conversion of Yearn’s yVault LP-yCurve tokens (lp-yCRVv2) into stablecoins on the decentralized exchange CowSwap.
A multisignature script is a security feature that requires multiple authorized parties to sign off on a transaction for it to be executed. In this case, a faulty multisig script led to the unintended swapping of Yearn’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens.
Now, Yearn.finance is appealing to arbitrage traders, who may have benefited from this unintended swap, to return the funds to the protocol. The hope is to recover the $1.4 million that was mistakenly drained from Yearn’s treasury. The details of the incident were shared on GitHub by a Yearn contributor named “dudesahn” on December 11.
What Happened
1. December 11, 2023: Multisig Script Error and Fund Drainage
– Yearn.finance, a decentralized finance (DeFi) protocol, faced a multisignature script error during the conversion of yVault LP-yCurve tokens (lp-yCRVv2) into stablecoins on CowSwap.
– The error resulted in the unintended swap of Yearn’s entire treasury balance of 3,794,894 lp- yCRVv2 tokens, draining $1.4 million from the protocol.
2. Slippage and Liquidity Impact
– Yearn received 779,958 DAI yVault (yvDAI) tokens from the trade, experiencing significant slippage.
– The slippage caused a 63% drop in the liquidity pool value from Yearn’s treasury, relative to lp- yCRVv2’s spot price at that time.
– Yearn confirmed the $1.4 million loss but clarified that customer funds were not affected, as the impacted tokens belonged to the protocol.
3. Recovery Efforts and Arbitrage Traders’ Appeal
– Yearn requested arbitrage traders who profited from the event to consider returning some funds, stating, “We are asking anyone who profitably arbed this mistake to return an amount that they feel is reasonable to Yearn’s main multisig.”
– On-chain messages were sent to some traders, and one arbitrager voluntarily returned 2 Ether (worth $4,500) to Yearn’s treasury address, expressing sympathy and acknowledging the risk involved.
4. Preventive Measures and Future Safeguards
– Yearn outlined steps to prevent similar mistakes, including separating protocol-owned liquidity into specific manager contracts, implementing human-readable output messages, and enforcing stricter price impact thresholds.
5. Historical Context
– Yearn had previously suffered an $11.6 million exploit on April 11, where a hacker minted one quadrillion Yearn Tether (yUSDT) tokens and traded them for other stablecoins.
Conclusion
The Yearn.finance incident serves as a reminder for users to approach decentralized finance (DeFi) with caution and awareness. The scripting error leading to a significant fund loss underscores the inherent risks in these platforms. Customers should prioritize understanding the potential dangers, and projects, in turn, need robust security measures. Learning from this event, users should stay informed about the security practices of DeFi protocols, exercise diligence, and recognize that unexpected issues can arise in this evolving space.