- A faulty multisig script led to Yearn Finance losing 63% of its treasury’s value in an uncontrolled token swap.
- The bug occurred during a routine fee token conversion process and lacked sufficient output checks. No user funds were affected.
- To prevent future incidents, Yearn plans to separate treasury funds, enforce stricter limits on trades, and improve script readability.
Yearn Finance, one of the biggest names in decentralized finance (DeFi), recently disclosed a critical bug in its system that led to significant losses.
Details of the Bug
According to a post on Github, the bug occurred during a routine fee token conversion process on behalf of Yearn’s treasury. A faulty multisig script caused Yearn’s entire treasury balance of 3794894 lp-yCRVv2 tokens to be swapped for just 779958 yvDAI tokens.
The post explained that the script lacked sufficient output checks and contained a logical error. This led to the protocol’s whole lp-yCRVv2 balance plus fees being sent to the trading multisig, instead of just the fees as intended. The faulty script then executed a token swap without capping the trade size.
Consequences
This coding mistake and uncontrolled token swap resulted in considerable price slippage. The Yearn treasury lost 63% of its value because of this incident. The team disclosed that no user funds were affected.
Shortly after the faulty swap, arbitrageurs brought the price back to normal. Yearn is now asking users who profited from the price movement to return a reasonable portion of their gains to Yearn’s main multisig contract.
Avoiding Future Incidents
To prevent such bugs in the future, Yearn developers plan to separate treasury funds into dedicated manager contracts. They will also introduce more readable output messages and enforce stricter price impact limits on trading scripts.
This comes on the heels of other exploits related to early Yearn versions, which cost the protocol over $100 million this year. The team seems committed to enhancing the code’s security and functionality to avoid further losses.
