Yo Protocol's Slippage Bomb

YO Protocol - Misconfigured Swap Parameters - Defi

lire aussi cet article en:

$3.71 million in, $112k out. One swap. No attacker required.

YO Protocol's vault operator fed a rebalancing transaction into Odos Router with parameters so broken, the aggregator did exactly what it was told - route $3.71 million straight into the pockets of liquidity providers waiting in thin Uniswap V4 pools.

No exploit. No hack. No malicious code. Just a 97% slippage execution that the protocol's own keeper initiated, signed, and broadcast to the world.

The team quietly backstopped the loss via multisig, paused the Pendle market, and left an on-chain message asking LPs to return 90% of their windfall.

Their response? "There was no incident."

A $10 million Series A closed just last month. The pitch deck probably didn't include a slide on how to vaporize eight figures with a single misclick.

When slippage protection is the only thing standing between your vault and oblivion, who checks if it's actually turned on?

Credit: Quill Audits, CoinDesk, BlockSec, PeckShield, DefimonAlerts, QuillAudits

January 12th, 2026 - A single transaction from YO Protocol's vault operator hit the Ethereum mempool.

The mission was simple: rebalance $3.71 million in stkGHO to USDC. Routine vault maintenance. The kind of swap that happens thousands of times a day across DeFi.

Except this one routed through Odos aggregator with what BlockSec would later describe as "a bad output quote by the initiator, which effectively disabled slippage protection" combined with "abnormal routing via executePath parameters."

PeckShield's alert landed within hours: "Yield has suffered a major financial hit."

DefimonAlerts caught the Pendle market pause.

QuillAudits documented the Uniswap V4 routing disaster. The on-chain evidence was already writing itself into permanence.

The swap didn't fail. It succeeded spectacularly - at doing exactly what the broken parameters instructed.

How does an aggregator turn a routine rebalance into a $3.71 million donation to anonymous LPs?

The Anatomy of a Bad Swap

Odos Router V2 received the instruction and went to work. What followed was 102 token transfers across a graveyard of liquidity.

The transaction touched Uniswap V4 Pool Manager dozens of times, fragmenting the massive stkGHO position into micro-swaps through pools that had no business handling institutional size - Uniswap V3, Curve, Balancer V3, Fluid, even Bancor converters that probably hadn't seen volume in months.

The routing got desperate. The token transfers tell the story - stkGHO converting to Adshares, Bancor's BNT token making a cameo, EURC, Resolv USD, f(x) USD - stablecoins most traders have never heard of becoming waypoints in a $3.71 million journey to nowhere.

One transfer tells the story: 3,840,651 stkGHO pushed into Uniswap V4 Pool Manager in a single move.

The whole disaster, immortalized in a single transaction.

Swap Transaction: 0x6aff59e800dc219ff0d1614b3dc512e7a07159197b2a6a26969a9ca25c3e33b4

The pools on the other side had the liquidity depth of a puddle. Price impact wasn't measured in basis points - it was measured in millions.

The event logs for the swap transaction are very telling..

The executePath parameters had routed the swap through pools with extreme fee tiers - 85%, 86%, even 88% on the largest hop - and virtually no liquidity.

Every hop extracted value. Every pool took its cut.

97% of the position had evaporated into the wallets of LPs who had positioned themselves - intentionally or not - to catch exactly this kind of whale carcass.

The Odos swap event log reveals the configuration that made it all possible: a slippage parameter of 17,872,058. For context, a normal swap might tolerate 50 basis points. This one was configured to accept oblivion.

Final output: 112,036 USDC delivered to the vault. Mission accomplished, technically.

When your aggregator finds liquidity in every dark corner of DeFi, is that a feature or a vulnerability?

Damage Control

The team moved fast - just not publicly.

Hours after the swap, Yo protocol's multisig bought ~3.71M GHO via CoW Swap and re-deposited stkGHO into the vault.

This time they used CoW Swap, the MEV-protected aggregator that routes through private solvers instead of the public mempool. The irony wasn't subtle.

The hole was filled. User funds made whole. The Pendle yoUSD market, paused during the chaos, eventually came back online.

Then came the on-chain message.

“This message is regarding an unintended swap that routed through your Uniswap v4 position today. We'd like to resolve this cooperatively and privately. Our proposal is that you retain 10% of the net proceeds as a bug bounty, and return the remainder to an address we provide.”

On-chain Bounty Message: 0x816cc2d41c3e85c0951d4f2f940a95f820d69cdbcf800262b8991d4ea159e105

The blockchain recorded the plea. The recipient's response was silence.

No public post-mortem materialized.

No Twitter thread explaining what went wrong. No transparency report for the protocol that markets itself on "transparent risk management powered by Exponential.fi's trusted ratings."

Instead, Yo Protocol’s Telegram group fielded questions with carefully constructed deflections.

"The market was temporarily paused earlier today."

"Pendle has yet to reenable the yoUSD market."

"YoUSD is back in normal operations."

All technically true. All missing the $3.71 million elephant in the room.

When the fix costs more than most seed rounds, does staying quiet count as transparency?

No attacker walked away rich. No exploit was deployed. No vulnerability was discovered.

YO Protocol simply handed $3.71 million to strangers because someone forgot to check the parameters on a swap.

The LPs who caught the windfall weren't malicious - they were just positioned in the right pools at the right time when a whale decided to cannonball into a kiddie pool.

Uniswap V4's hook architecture has been warned about since launch - extreme flexibility enabling extreme outcomes.

Aggregators routing through exotic pools with thin liquidity and high fees isn't a bug, it's a design choice. The only safeguard is the human pressing the button.

This time, the protocol could afford the lesson. A multisig flush with Series A cash papered over the crater before most users noticed.

But the playbook - broken parameters, disabled slippage protection, silence instead of disclosure - doesn't scale.

YO Protocol built its brand on optimizing risk-adjusted yield. Turns out the biggest risk was operational.

If a $3.71 million mistake doesn't warrant a public explanation, what does?

partager cet article

REKT sert de plateforme publique pour des auteurs anonymes, nous déclinons toute responsabilité quant aux opinions ou contenus hébergés sur REKT.

faites un don (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

avertissement:

REKT n'est responsable en aucune manière du contenu publié sur notre site Web ou en lien avec nos Services, qu'il soit publié ou occasionné par l'Auteur Anon de notre site Web, ou par REKT. Bien que nous fournissions des règles pour la conduite et les publications de l'Auteur Anon, nous ne contrôlons pas et ne sommes pas responsables de ce que l'Auteur Anon publie, transmet ou partage sur notre site Web ou nos Services, et ne sommes pas responsables de tout contenu offensant, inapproprié, obscène, illégal ou autrement répréhensible que vous pourriez rencontrer sur notre site Web ou nos Services. REKT ne saurait être tenu responsable de la conduite, en ligne ou hors ligne, de tout utilisateur de notre site Web ou de nos services.