Yearn.finance pleads arb traders to return funds after $1.4M multisig mishap

DeFi protocol Yearn.finance has called arb traders to return as much as $1.4 million after a faulty script led to funds being lost from its treasury.
DeFi protocol Yearn.finance has called arb traders to return as much as $1.4 million after a faulty script led to funds being lost from its treasury.

Decentralized finance protocol Yearn.finance is hoping arbitrage traders will return $1.4 million in funds after a multisignature scripting error resulted in a large amount of the protocol’s treasury being drained.

“A faulty multisig script caused Yearn’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens to be swapped,” according to a Dec. 11 GitHub post by Yearn contributor “dudesahn.”

The error occurred while Yearn was converting its yVault LP-yCurve (lp-yCRVv2) — earned from performance fees on vault harvests — into stablecoins on the decentralized exchange CowSwap.

Yearn suffered significant slippage when it received 779,958 DAI yVault (yvDAI) tokens from the trade, resulting in a 63% drop in liquidity pool value from its treasury relative to lp-yCRVv2’s spot price at the time.

Yearn confirmed the $1.4 million figure in a note to The Block.

However, Dudesahn said the affected tokens were “strictly protocol-owned liquidity” in Yearn’s treasury and that customer funds weren’t impacted.

Given how critical these tokens are to Yearn’s yCRV liquidity, the firm has asked any successful arb traders who profited from the event to consider sending some of the funds back:

“We are asking anyone who profitably arbed this mistake to return an amount that they feel is reasonable to Yearn’s main multisig.”

Yearn took its recovery efforts one step further, writing on-chain messages to some of the traders.

On-chain message from Yearn’s treasury address to c0ffeebabe.eth. Source: Etherscan

Related: Yearn.finance token tumbles 43%, community speculates on exit scam

One arbitrager has already transferred 2 Ether (ETH) worth $4,500 back to Yearn’s treasury address, according to Etherscan. “Sorry to hear that lads, happens to the best of us. Didn’t profit that bigly like some others did, and we did take on some risk and helped the peg, but here’s some back anyway,” they added in an on-chain message.

To prevent similar mistakes in the future, Yearn said it would separate protocol-owned liquidity into specific manager contracts, implement human-readable output messages and enforce stricter price impact thresholds.

Yearn fell victim to an $11.6 million exploit on April 11 after the hacker managed to mint one quadrillion Yearn Tether (yUSDT) tokens and trade it for other stablecoins.

Magazine: US enforcement agencies are turning up the heat on crypto-related crime