Yo Protocol's Slippage Bomb

YO Protocol - Misconfigured Swap Parameters - Defi

bu makaleyi şu dillerde okuyabilirsin:

$3.71 million in, $112k out. One swap. No attacker required.

YO Protocol's vault operator fed a rebalancing transaction into Odos Router with parameters so broken, the aggregator did exactly what it was told - route $3.71 million straight into the pockets of liquidity providers waiting in thin Uniswap V4 pools.

No exploit. No hack. No malicious code. Just a 97% slippage execution that the protocol's own keeper initiated, signed, and broadcast to the world.

The team quietly backstopped the loss via multisig, paused the Pendle market, and left an on-chain message asking LPs to return 90% of their windfall.

Their response? "There was no incident."

A $10 million Series A closed just last month. The pitch deck probably didn't include a slide on how to vaporize eight figures with a single misclick.

When slippage protection is the only thing standing between your vault and oblivion, who checks if it's actually turned on?

Credit: Quill Audits, CoinDesk, BlockSec, PeckShield, DefimonAlerts, QuillAudits

January 12th, 2026 - A single transaction from YO Protocol's vault operator hit the Ethereum mempool.

The mission was simple: rebalance $3.71 million in stkGHO to USDC. Routine vault maintenance. The kind of swap that happens thousands of times a day across DeFi.

Except this one routed through Odos aggregator with what BlockSec would later describe as "a bad output quote by the initiator, which effectively disabled slippage protection" combined with "abnormal routing via executePath parameters."

PeckShield's alert landed within hours: "Yield has suffered a major financial hit."

DefimonAlerts caught the Pendle market pause.

QuillAudits documented the Uniswap V4 routing disaster. The on-chain evidence was already writing itself into permanence.

The swap didn't fail. It succeeded spectacularly - at doing exactly what the broken parameters instructed.

How does an aggregator turn a routine rebalance into a $3.71 million donation to anonymous LPs?

The Anatomy of a Bad Swap

Odos Router V2 received the instruction and went to work. What followed was 102 token transfers across a graveyard of liquidity.

The transaction touched Uniswap V4 Pool Manager dozens of times, fragmenting the massive stkGHO position into micro-swaps through pools that had no business handling institutional size - Uniswap V3, Curve, Balancer V3, Fluid, even Bancor converters that probably hadn't seen volume in months.

The routing got desperate. The token transfers tell the story - stkGHO converting to Adshares, Bancor's BNT token making a cameo, EURC, Resolv USD, f(x) USD - stablecoins most traders have never heard of becoming waypoints in a $3.71 million journey to nowhere.

One transfer tells the story: 3,840,651 stkGHO pushed into Uniswap V4 Pool Manager in a single move.

The whole disaster, immortalized in a single transaction.

Swap Transaction: 0x6aff59e800dc219ff0d1614b3dc512e7a07159197b2a6a26969a9ca25c3e33b4

The pools on the other side had the liquidity depth of a puddle. Price impact wasn't measured in basis points - it was measured in millions.

The event logs for the swap transaction are very telling..

The executePath parameters had routed the swap through pools with extreme fee tiers - 85%, 86%, even 88% on the largest hop - and virtually no liquidity.

Every hop extracted value. Every pool took its cut.

97% of the position had evaporated into the wallets of LPs who had positioned themselves - intentionally or not - to catch exactly this kind of whale carcass.

The Odos swap event log reveals the configuration that made it all possible: a slippage parameter of 17,872,058. For context, a normal swap might tolerate 50 basis points. This one was configured to accept oblivion.

Final output: 112,036 USDC delivered to the vault. Mission accomplished, technically.

When your aggregator finds liquidity in every dark corner of DeFi, is that a feature or a vulnerability?

Damage Control

The team moved fast - just not publicly.

Hours after the swap, Yo protocol's multisig bought ~3.71M GHO via CoW Swap and re-deposited stkGHO into the vault.

This time they used CoW Swap, the MEV-protected aggregator that routes through private solvers instead of the public mempool. The irony wasn't subtle.

The hole was filled. User funds made whole. The Pendle yoUSD market, paused during the chaos, eventually came back online.

Then came the on-chain message.

“This message is regarding an unintended swap that routed through your Uniswap v4 position today. We'd like to resolve this cooperatively and privately. Our proposal is that you retain 10% of the net proceeds as a bug bounty, and return the remainder to an address we provide.”

On-chain Bounty Message: 0x816cc2d41c3e85c0951d4f2f940a95f820d69cdbcf800262b8991d4ea159e105

The blockchain recorded the plea. The recipient's response was silence.

No public post-mortem materialized.

No Twitter thread explaining what went wrong. No transparency report for the protocol that markets itself on "transparent risk management powered by Exponential.fi's trusted ratings."

Instead, Yo Protocol’s Telegram group fielded questions with carefully constructed deflections.

"The market was temporarily paused earlier today."

"Pendle has yet to reenable the yoUSD market."

"YoUSD is back in normal operations."

All technically true. All missing the $3.71 million elephant in the room.

When the fix costs more than most seed rounds, does staying quiet count as transparency?

No attacker walked away rich. No exploit was deployed. No vulnerability was discovered.

YO Protocol simply handed $3.71 million to strangers because someone forgot to check the parameters on a swap.

The LPs who caught the windfall weren't malicious - they were just positioned in the right pools at the right time when a whale decided to cannonball into a kiddie pool.

Uniswap V4's hook architecture has been warned about since launch - extreme flexibility enabling extreme outcomes.

Aggregators routing through exotic pools with thin liquidity and high fees isn't a bug, it's a design choice. The only safeguard is the human pressing the button.

This time, the protocol could afford the lesson. A multisig flush with Series A cash papered over the crater before most users noticed.

But the playbook - broken parameters, disabled slippage protection, silence instead of disclosure - doesn't scale.

YO Protocol built its brand on optimizing risk-adjusted yield. Turns out the biggest risk was operational.

If a $3.71 million mistake doesn't warrant a public explanation, what does?

bu makaleyi paylaş

REKT, anonim yazarlar için halka açık bir platform olarak hizmet eder, REKT'te bulunan görüşler veya içerik için hiçbir sorumluluk kabul etmiyoruz.

bağış yap (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

sorumluluk reddi:

REKT, Web Sitemizde veya hizmetlerimizle bağlantılı olarak web sitemizin ANON yazarı veya REKT tarafından gönderilen, yayınlanan veya neden olunan hiçbir içerikten hiçbir şekilde sorumlu veya yükümlü değildir. Anon yazarın davranışları ve gönderileri için kurallar sağlamamıza rağmen, onun web sitemizde veya hizmetlerimizde yayınladığı, ilettiği veya paylaştığı şeylerden sorumlu değiliz veya web sitemizde ve hizmetlerimizde karşılaşabileceğiniz herhangi bir saldırgan, uygunsuz, müstehcen, yasa dışı veya başka şekilde sakıncalı olan içerikten sorumlu değiliz. REKT, Web Sitemizin veya Hizmetlerimizin herhangi bir kullanıcısının çevrimiçi veya çevrimdışı davranışlarından sorumlu değildir.