YO Suffers $3.7M Loss Due to ‘Unintended’ Stablecoin Swap

YO Protocol suffered a roughly $3.73 million loss on Tuesday, Jan. 13, after a vault swap turned about $3.84 million worth of stkGHO, a staked version of Aave’s GHO stablecoin, into only around $122,000 in USDC, according to blockchain security firms PeckShield and BlockSec.

PeckShieldAlert said in a post on X that the loss happened during a swap from stkGHO to USDC due to extreme slippage. Slippage occurs when a trade executes at a worse price than expected, often during fast market moves or when there isn’t enough liquidity for a large trade.

BlockSec said the swap took place on Ethereum and described it as a “bizarre” trade. Meanwhile, QuillAudits said the trade may have been routed through a Uniswap v4 pool, which uses “hooks” that can make swaps more complex and harder to predict.

Security researchers emphasized that the incident was not a smart contract exploit or a hack. Still, the incident highlights a key risk in decentralized finance (DeFi): even without a hack, large trades can result in major losses if routed through thin liquidity or high-fee pools.

YO, which stands for Yield Optimizer, reportedly addressed the recipient of the funds in an on-chain message, describing the event as an “unintended swap” and proposing that they keep 10% of the proceeds as a bug bounty and return the remainder, according to Defimon Alerts, which shared the message on X.

QuillAudits further noted that the team moved quickly after the swap, buying back roughly $3.7 million worth of GHO and redepositing stkGHO into the vault. The firm also said YO temporarily paused the YoUSD market on Pendle before re-enabling it after recapitalization.

The incident quickly drew criticism on social media, with some users questioning the protocol’s risk controls and how the swap was executed. Numerous observers accused the team of negligence for allowing such a trade to go through.

YO has not published a full public explanation as of press time. In comments to The Defiant, a spokesperson for YO explained that the team is “actively working toward end-to-end automation of vault operations, and this incident occurred due to our efforts to expand the automated system’s coverage.”

The spokesperson also clarified that the YO treasury is covering any user losses, and that the project is shipping improvements to prevent this kind of incident from happening in the future:

Disclaimer: This article has been updated to add comments from YO, and to correct the project’s name from Yield Protocol to YO Protocol.