According to the Yield-farming protocol Yearn Finance, a faulty multisig script destroyed 63% of its Treasury. User funds were unaffected.
A disclosure post on GitHub states that the incident happened during a “regular fee token conversion process on behalf of Yearn’s treasury.” Yearn’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens was exchanged for 779,958 yvDAI tokens due to a malfunctioning script.
“The entire treasury balance of lp-yCRVv2 (POL, plus fees) was mistakenly transferred to the trading multisig, when only expected a much smaller fees portion,” the post stated.
The post continues, “The script used by the trading multisig to swap tokens lacked sufficient output checks and contained a logical error that would have capped the trade size to a reasonable amount.”
The protocol team reported that there was a large amount of price slippage following the trade, “which arbed back to the normal price by the market shortly after.” They requested that users who had benefited from the price movement “return an amount that they feel is reasonable to Yearn’s main multisig.”
The developers of the protocol intended to “separate POL funds into dedicated manager contracts, introduce more human-readable output messages on trading scripts, and enforce stricter price impact thresholds” to stop similar incidents from happening in the future, according to the post.
Earlier this year, an exploit involving an early Yearn version, called iearn, caused damages of $11.6 million, according to PeckShield. One of its vaults contained $11 million worth of cryptocurrency that was lost due to an exploit in February.
Also Read: Yearn Finance Rejects Wintermute’s $2.18M YFI Token Bid
