Blog Post Cover

yoUSD Incident Postmortem: Automated Harvest Swap (Jan 12, 2026)

By YO

On January 12, 2026, YO’s Automated Harvesting System executed an unfavorable swap that created a $3.7M shortfall in the yoUSD vault. No user funds were lost. YO’s treasury fully covered the shortfall, and vault operations resumed the same day. We are publishing this report to share our technical findings and the measures we have implemented to ensure this incident remains isolated.

Impact

  • User balances: Not affected
  • Protocol solvency: Not impacted
  • Vault availability: yoUSD was temporarily paused during the investigation
  • Financial: $3.7M shortfall, covered in full by YO Treasury

Root Cause Summary

The incident occurred when YO’s Automated Harvesting System, designed for small reward swaps, exchanged the vault’s entire stkGHO balance at an extreme price due to a configuration edge case and insufficient quote validation. Safeguards used for YO’s large-trade systems were not consistently applied across all automated components, as YO is gradually expanding toward fully automated vault operations.

What Happened

YO operates an Automated Harvesting System that claims protocol rewards and swaps those rewards into the vault’s underlying asset. As part of YO’s broader vision, we are actively working toward end-to-end automation of vault operations, reducing manual intervention and improving capital efficiency. This incident occurred in the course of executing on that vision and expanding automated system coverage.

In this incident, the system unintentionally swapped more than the harvested rewards. A configuration edge case arose because stkGHO was the same token used for both the harvested rewards and the vault’s principal position. As a result, the Harvester attempted to swap the vault’s full stkGHO balance (principal plus rewards). The trade executed at an extreme price from the DEX aggregator quote that was not rejected by the Harvester.

YO operates multiple systems with different design assumptions. The Rebalancer is designed for large trades and includes safeguards that execute orders in small increments and validate price impact before proceeding. The Harvester was built for smaller, routine reward conversions under $1,000 often involving scarcely traded tokens. This led to a blind spot where we did not apply the same rigorous guardrails used for our high-value Rebalancer system.

While the Harvester included slippage parameters (10 bps initially, increasing up to 50 bps across retries), these controls only measured price movement during execution and did not validate whether the starting quote was acceptable, leaving the system exposed to extreme price impact. As a result, slippage protections were insufficient, and the trade proceeded when it should have been blocked.

As YO expands to broader automated execution, safeguards must scale consistently. This incident reflects a gap between systems with different assumptions, and addressing this gap is part of YO’s ongoing work toward safe, automated vault operations.

Detection and Response

Our monitoring detected a TVL mismatch and paused yoUSD on Base and Ethereum to prevent further impact. The YO treasury fully covered the shortfall. Vault accounting was restored, and normal operations were safely resumed.

Timeline of Events

Times in UTC

  1. Jan 5, 2026 2:38pm: stkGHO token was allowlisted onchain to be swapped by the Automated Harvesting System (Harvester).
  2. Jan 12, 2026 1:02pm: The Harvester requested a swap quote from the ODOS API to sell all the available stkGHO balance in the yoUSD vault. The swap was executed, selling 3,840,651.39 stkGHO for 112,036.12 USDC.
  3. Jan 12, 2026 1:50pm: Internal monitoring detected a TVL discrepancy in yoUSD.
  4. Jan 12, 2026 2:47pm: yoUSD was paused on Base and Ethereum after confirming the mismatch of TVL figures. Investigation and remediation of the incident starts. Users and partners are notified.
  5. Jan 12, 2026 5:00pm: YO begins transferring treasury funds to cover the $3.7M shortfall in full.
  6. Jan 12, 2026 5:40pm: The admin multisig unpauses the vault to resume operations. Users and partners are notified.
  7. Jan 12, 2026 10:39pm: YO Treasury finalizes all transfers to yoUSD.

How We’re Preventing This Going Forward

To prevent similar events in the future, YO has implemented systemic changes and standardized trading guardrails across all systems:

  1. Universal trade guardrails: Guardrails have long been enforced across our trading systems; however, the Harvester unintentionally missed certain controls. This gap has now been closed. All on-chain trades (including the Harvester and Rebalancer) are now subject to the same guardrails, including maximum trade size limit, price-impact threshold, simulation, and execution validation. No trade path can bypass these controls. This includes:
    • Expanding hard maximum to the Harvester: We implemented a cap per execution for automated swaps. Any trade exceeding this bound is automatically blocked and requires explicit manual review, ensuring that automation can never execute large trades.
    • Expanding price impact validation to the Harvester: Before execution, all trades, including swaps, are validated against an expected output amount derived from simulation results and reference pricing; any deviation beyond a configured threshold results in the trade being rejected. This ensures that the received value remains within acceptable bounds.
  2. Bounded retries: Automated execution permits a limited number of retries only while pricing, routing, and validation inputs remain consistent and within predefined safety bounds. If any validation check fails, inputs diverge, or execution conditions degrade, the system halts rather than widening assumptions or accepting worse execution.
  3. Separation of reward and principal assets: Assets classified as principal assets (e.g., stkGHO) can no longer be classified as reward assets. As a result, The Harvester is not permitted to swap these assets under any circumstances.
  4. Improved monitoring and real-time alerts: We have expanded logging and alerting across harvesting and execution workflows, along with real-time alerts for:
    • Large balances becoming eligible for execution
    • Failed or retried swaps
    • Abnormal price impact or execution patterns
    • Repeated executions across short time windows

All detected anomalies are subject to manual review and approval before execution proceeds.

Conclusion

YO has fully covered the shortfall associated with this incident and taken corrective action. We remain firmly committed to the high security standards that define our protocol. While automation is critical for scalability and efficiency, it must be supported by rigorous guardrails. Additional safeguards have now been implemented to ensure the system operates safely, reliably, and in line with our standards.

YO’s vision is to build the first fully automated vault that optimizes yield across all chains and protocols. In DeFi, users should not need to constantly chase yields, and partners should be able to rely on a simple, multi-chain vault that automatically rebalances based on defined risk parameters.

We appreciate the community’s patience, support, and constructive feedback during the investigation of this incident. Transparency remains a core value for us, and we are committed to learning from this incident to prevent similar issues in the future. If you have any questions or concerns, please send a message in Discord.