YO Protocol Reports Serious Token Swap Error: Approximately $3.84 million worth of stkGHO was accidentally exchanged via an extreme pool on Uniswap v4 during an asset rebalancing operation, resulting in only about $12,200 USDC received, instantly evaporating nearly $3.7 million in value.
(Background: TrueBit protocol suspected of being hacked! 8,535 ETH transferred abnormally, $TRU instantly halved)
(Additional context: North Korean hackers set a record in 2025 by stealing $2.02 billion in cryptocurrencies, with a laundering cycle of about 45 days)
Table of Contents
- Incident Overview
- YO Protocol Team’s Rapid Response
- Summary of Root Cause
Blockchain security firm BlockSec’s latest post disclosed that on January 13, 2026, the DeFi protocol YO Protocol experienced a serious abnormal token swap event. This was not a traditional smart contract vulnerability or hacking incident, but a severe operational mistake during the process, leading to a loss of about $3.84 million worth of stkGHO (Aave-staked GHO tokens). During the USDC swap, only about $12,200 USDC was successfully received, with an actual loss approaching $3.7 million.
YO protocol (@yield) was reported to suffer a bizarre swap on #Ethereum: ~$3.84M stkGHO ended up as only ~$122K USDC. The team has taken actions including buying GHO and re-depositing stkGHO into the vault.
Our investigation suggests the discrepancy may have resulted from two… pic.twitter.com/ttbZwv5zEt
— BlockSec Phalcon (@Phalcon_xyz) January 13, 2026
Incident Overview
According to on-chain analysis by BlockSec and other security teams, the incident originated from a large asset rebalancing operation executed by the Yo Vault operator (or automated keeper) of YO Protocol: exchanging about $3.84 million worth of stkGHO for USDC. This transaction was originally supposed to find the best route via an aggregator, but was instead directed to a liquidity pool on Uniswap v4 with extremely thin liquidity, high fees (or using custom hooks).
Due to abnormal routing choices, combined with the initiator possibly setting an excessively high slippage tolerance (or no protection at all), extreme price impacts and large fee extraction occurred. Ultimately, most of the value was captured by liquidity providers (LPs) in that Uniswap v4 pool, leaving only about $11,200–$12,200 USDC back in the protocol.
YO Protocol Team’s Rapid Response
After the incident, the YO Protocol team quickly implemented remedial measures within a few hours:
- Recovered approximately $3.71 million worth of GHO using a MEV-protected CoW Swap aggregator.
- Re-deposited the equivalent stkGHO into the vault to restore liquidity.
- Temporarily paused the YoUSD market on Pendle, to be reopened after replenishment.
Additionally, the team left messages on-chain proposing a cooperation plan with LPs who captured profits: suggesting LPs retain 10% as a bug bounty, and the rest be amicably returned, aiming to resolve the dispute privately.
Root Cause Summary
This incident was not due to a vulnerability in the YO Protocol smart contracts themselves, but a typical operational risk amplified by the unique features of Uniswap v4. Key factors include:
- Routing errors by automated scripts or aggregators, mistakenly entering extremely configured v4 pools (narrow liquidity ranges + custom hooks that may cause dynamic high fees or price manipulation).
- Lack of sufficient protective mechanisms, such as whitelisted pools, enforced slippage limits, or price impact checks.
- Since its launch in 2025, Uniswap v4’s hook mechanism has brought high innovation but also potential risks like “slippage bombs,” especially dangerous for large trades.
Multiple security teams agree that this was an “operational mistake magnified” event rather than malicious attack, serving as a warning that DeFi protocols must significantly strengthen safety measures during automated large-volume operations.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
A user signed a malicious transaction and lost $200,000; GoPlus alerts users to be cautious of Permit/Approve phishing attacks
Gate News reports that on March 20, according to GoPlus security monitoring, an address starting with 0x9709 signed malicious Permit and Approve transactions, leading to the theft of approximately $200,000 worth of USDC and wmtUSDT by phishing attackers. GoPlus advises users to carefully verify transaction details and contract addresses when signing any on-chain authorization (Approve) or offline signature (Permit) requests, and to avoid signing malicious requests from unknown sources to prevent asset theft.
GateNews2h ago
Solana's stablecoin supply reaches $17.9 billion, a record high, with USDC accounting for over 56%
Solana blockchain stablecoin supply reaches $17.9 billion all-time high, with USDC accounting for over 56%. Its stablecoin transfer volume surpasses Ethereum and Tron, demonstrating efficiency in payments and fund flows, highlighting its competitive advantage amid economic volatility.
GateNews3h ago
MLB Signs Exclusive Polymarket Prediction Market Agreement, US State Regulators at Odds
Major League Baseball (MLB) has reached an exclusive partnership with decentralized prediction market platform Polymarket, with a contract value of up to $300 million, marking a divergence in prediction market regulation. MLB's agreement with Polymarket and the CFTC highlights differing jurisdictional positions between federal and state authorities over prediction markets. If states prevail in litigation, the contract could be terminated to reduce legal liability, which also reflects prediction markets' gradual convergence toward mainstream finance.
MarketWhisper4h ago
Large transfer of 406.8 million USDC occurred between two unknown wallet addresses
Gate News reports that on March 19, on-chain monitoring showed a large USDC transfer between two unknown cryptocurrency wallet addresses, with a transfer amount of 406,839,885 USDC (approximately $406.8 million). The identities of the wallets involved have not been disclosed, and this large transfer has attracted attention from the crypto community.
GateNews6h ago
Mega Bank Global Stablecoin Test vs. Traditional Remittance: Who Wins? Rui-Bin Dong: 200,000 TWD is the "Turning Point"
Mega Bank's field test report shows that stablecoins outperform traditional banks in small remittances, with faster settlement and lower costs; however, traditional banks still have clear advantages in large corporate transfers and compliance. Chairman Tung Jui-pin emphasized that the two should be complementary rather than replace each other. The widespread adoption of stablecoins faces regulatory challenges.
動區BlockTempo10h ago
SBI VC Trade kicks off retail USDC lending as stablecoins rise
SBI Holdings’ crypto arm, SBI VC Trade, is rolling out a USDC lending product in Japan, enabling retail users to lend Circle’s stablecoin to the platform under fixed-term agreements in exchange for interest. The offering limits per-user exposure to 5,000 USDC, with the loan treated as an asset to SB
CryptoBreaking13h ago
