Decentralized finance protocol Yearn.finance is hoping arbitrage traders will return $1.4 million in funds after a multisignature scripting error, resulting in a large amount of the protocol’s treasury being drained.
“A faulty multisig script caused Yearn’s entire treasury balance of 3,794,894 lp-yCRVv2 tokens to be swapped,” according to a Dec. 11 GitHub post by Yearn contributor “dudesahn.”
The error occurred while Yearn was converting its yVault LP-yCurve (lp-yCRVv2) — earned from performance fees on vault harvests — into stablecoins on decentralized exchange CowSwap.
$1.4M WIPED OUT
Yearn Finance stated that their treasury fund lost around $1.4M due to a faulty script
Later on, their team claimed that only their LP position was affected, no user’s funds were targeted pic.twitter.com/4FNXN8DAYp
— De.Fi Antivirus Web3 ️ (@DeDotFiSecurity) December 13, 2023
Yearn suffered significant slippage when it received 779,958 DAI yVault (yvDAI) tokens from the trade, resulting in a 63% fall in liquidity pool value from its treasury — relative to lp-yCRVv2’s spot price at the time.
Yearn confirmed the $1.4 million figure in a note to The Block.
However, Dudesahn said the affected tokens were “strictly protocol-owned liquidity” in Yearn’s treasury and that customer funds weren’t impacted.
Given how “critical” these tokens are to Yearn’s yCRV liquidity, the firm has asked any successful arb traders that profited from the event to consider sending some of the funds back:
“We are asking anyone who profitably arbed this mistake to return an amount that they feel is reasonable to Yearn’s main multisig.”
Yearn took its recovery efforts one step further, writing on-chain messages to some of the traders.
Related: Yearn.finance token tumbles 43%, community speculates on exit scam
One arbitrager has already transferred 2 Ether (ETH), worth $4,500, back to Yearn’s treasury address, according to Etherscan. “Sorry to hear that lads, happens to the best of us. Didn’t profit that bigly like some others did, and we did take on some risk and helped the peg, but here’s some back anyway,” they added in an on-chain message.
To prevent similar mistakes in the future, Yearn said it will separate protocol-owned liquidity into specific manager contracts, implement human-readable output messages and enforce stricter price impact thresholds.
Yearn fell victim to an $11.6 million exploit on April 11 after the hacker managed to mint one quadrillion Yearn Tether (yUSDT) tokens and trade it for other stablecoins.
Magazine: US enforcement agencies are turning up the heat on crypto-related crime
Calling All Arb Traders: Yearn.finance Begs for Return of Funds After $1.4M Multisig Mishap
The world of decentralized finance (DeFi) has been a hot topic in the cryptocurrency community in recent months. DeFi platforms, such as Yearn.finance, have been growing in popularity due to their potential for high returns and decentralized nature. However, with this rise in popularity comes a new set of challenges and risks, especially for Arb traders.
Recently, a $1.4M mishap has rocked the DeFi world and left many Arb traders and investors nervous and questioning the safety of their funds. In this article, we will delve into the details of the incident, discuss the impact on Arb traders, and explore the steps that can be taken to prevent similar incidents in the future.
What Happened with the Yearn.finance Multisig?
To understand the impact of the $1.4M multisig mishap, let’s first take a brief look at what a multisig is. A multisig, short for multi-signature, is a security measure utilized by DeFi platforms to secure and manage funds. It requires multiple signatures from different parties for a transaction to be executed, ensuring that no single person has complete control over the funds.
In the case of Yearn.finance, a multisig was set up by the project’s founder, Andre Cronje, to manage the funds of the protocol. However, on October 8th, the Yearn.finance multisig was reportedly hacked, resulting in the loss of $1.4M worth of DAI tokens. The hacker was able to exploit a vulnerability in the platform’s code, allowing them to drain the funds from the multisig.
According to Cronje, the hacker used a trick known as a “flash loan attack” to exploit the vulnerability. This type of attack involves borrowing a large amount of funds from a DeFi platform, executing a series of transactions, and then returning the borrowed funds, all within a single transaction. This allows the attacker to manipulate the market and profit from the price discrepancies.
The Impact on Arb Traders
Arb trading, short for arbitrage trading, is a popular strategy used by many DeFi traders. It involves buying an asset on one platform and selling it on another to take advantage of price differences. However, with the recent multisig mishap, Arb traders are now faced with the risk of losing their funds if they have invested in Yearn.finance.
Many Arb traders have taken to social media to express their concerns and frustration over the incident. They argue that they were not responsible for the hack and should not be held accountable for the loss. This has caused a rift in the DeFi community, with some supporting the traders’ demands for the return of their funds, while others argue that the responsibility lies with the project’s team.
What’s Being Done to Address the Issue?
Following the hack, the Yearn.finance team has announced a plan to create a new multisig and migrate all funds to it. They also announced a “hacker bounty” of $250,000 and promised to return any funds that are recovered. However, this has not been enough to appease the disgruntled Arb traders, who argue that the team should have been more diligent in securing the platform’s code.
In light of this, some community members have suggested implementing a socialized loss strategy, where the cost of the hack is shared among all stakeholders, including the team, the users, and the investors. This has been met with mixed reactions, with some arguing that this goes against the principles of DeFi, which is rooted in decentralization and individual responsibility.
Preventing Future Incidents
The Yearn.finance multisig incident has highlighted the need for better security measures and auditing processes in DeFi platforms. As the popularity of DeFi continues to grow, it is crucial for protocols to prioritize the security of their users’ funds. This includes regular code audits, implementing security best practices, and ensuring timely bug fixes.
Arb traders can also take several steps to mitigate the risks associated with DeFi platforms. These include diversifying their investments, doing thorough research before investing in a new platform, and staying updated on the latest security measures and risks.
In conclusion, the recent $1.4M multisig mishap in Yearn.finance has raised concerns about the security of funds in DeFi platforms and the responsibilities of both the teams and the users. While the incident has undoubtedly caused chaos and uncertainty in the community, it also serves as a wake-up call for better security measures and risk management in the DeFi space. As the industry evolves, it is crucial to prioritize the safety of users’ funds and work towards preventing such incidents in the future.