Decentralized finance platform Yearn.finance faces a situation where it's seeking the return of $1.4 million in funds inadvertently drained due to a multi-signature script error. A Yearn contributor named "dudesahn" highlighted on GitHub that a flawed multi-signature script led to the swapping of the entirety of Yearn's financial balance of 3,794,894 lp-yCRVv2 tokens.
The error occurred during the process of converting the yVault LP-yCurve tokens (lp-yCRVv2) into a stablecoin on CowSwap, a decentralized exchange. This action resulted in Yearn receiving 779,958 DAI yVault (yvDAI) tokens from a trade, causing a significant 63% drop in liquidity pool value within its vault compared to the spot price of lp-yCRVv2 at that time.
Yearn confirmed the $1.4 million loss, specifying that these affected tokens were exclusively owned by the protocol within Yearn's vaults and reassured that customer funds remained unaffected by the incident.
Seeking to rectify the situation, Yearn has requested any arbitrage traders who may have gained from this incident to consider returning a portion of their profits to the main Yearn multisig. Efforts have been made by Yearn to contact traders through on-chain messages, and some have responded. One arbitrageur, for instance, returned 2 Ethereum valued at $4,500 to Yearn's vault address, expressing empathy and acknowledging the risk taken in helping rectify the situation.
To prevent such errors in the future, Yearn has outlined several strategies, including segregating the protocol's owned liquidity into distinct management contracts, implementing human-readable output messages, and imposing stricter price impact thresholds. This incident is not the first time Yearn has faced issues; previously, in an April attack, hackers successfully created 100 billion Yearn Tether (yUSDT) tokens and traded them for other stablecoins, resulting in an $11.6 million loss for Yearn.
