In a routine token swap for Yearn Finance, a glitch in the script went awry, causing the accidental swap of the entire treasury balance of close to 3.8 million liquidity tokens, lp-yCRVv2.
This stash, known as protocol owned liquidity (POL), belonged solely to Yearn’s treasury and did not involve any user funds.
The impact however, was felt in the Curve pool, with significant slippage that normalised shortly afterward.
Complicating matters, the trade included almost 780,000 yvDAI tokens, resulting in around 63% of the LP value (about $1.4 million USD) lost to slippage, based on the liquidity token’s spot price during the trade.
How it All Happened
At the heart of the mishap is Yearn’s key product, yCRV, supported by a substantial POL reserve in the form of lp-yCRVv2, the liquidity token.
This token essentially represents one locked CRV in Yearn’s pooled veCRV position.
Additionally, Yearn’s treasury regularly receives such liquidity tokens as performance fees, which are usually converted into stablecoins for day-to-day operations.
The glitch occurred when the entire POL amount was mistakenly moved to the trading multisig, treated as if it were fees.
This multisig executed a transaction on Cowswap, involving over 30 orders, including one to swap the entire liquidity token balance.
The orders were filled shortly after placement.
Two significant oversights contributed to this blunder: the incorrect transfer of the entire liquidity token balance to the trading multisig and a script lacking adequate output checks, with a logical error that failed to cap the trade size reasonably.
The complexity of over 30 trades in a single transaction added to the challenge of human review.
After the incident, arbitrage bots and market actors swiftly corrected the disrupted price.
Reviewing The Incident
To prevent a recurrence, Yearn Finance is rolling out additional safeguards.
First, they will separation of POL funds into dedicated manager contracts.
The DeFi platform will also introduce of more understandable output messages on trading scripts to facilitate review.
Lastly, they will enforce stricter thresholds for price impact.
This incident follows previous exploits on Yearn Finance, such as the $11.6 million damage in April linked to an early Yearn version (iearn) and an $11 million loss in February resulting from an exploit in one of its vaults.