YO Protocol Reports Serious Token Swap Error: Approximately $3.84 million worth of stkGHO was accidentally exchanged via an extreme pool on Uniswap v4 during an asset rebalancing operation, resulting in only about $12,200 USDC received, instantly evaporating nearly $3.7 million in value.
(Background: TrueBit protocol suspected of being hacked! 8,535 ETH transferred abnormally, $TRU instantly halved)
(Additional context: North Korean hackers set a record in 2025 by stealing $2.02 billion in cryptocurrencies, with a laundering cycle of about 45 days)

Table of Contents

• Incident Overview
• YO Protocol Team’s Rapid Response
• Summary of Root Cause

Blockchain security firm BlockSec’s latest post disclosed that on January 13, 2026, the DeFi protocol YO Protocol experienced a serious abnormal token swap event. This was not a traditional smart contract vulnerability or hacking incident, but a severe operational mistake during the process, leading to a loss of about $3.84 million worth of stkGHO (Aave-staked GHO tokens). During the USDC swap, only about $12,200 USDC was successfully received, with an actual loss approaching $3.7 million.

YO protocol (@yield) was reported to suffer a bizarre swap on #Ethereum: ~$3.84M stkGHO ended up as only ~$122K USDC. The team has taken actions including buying GHO and re-depositing stkGHO into the vault.

Our investigation suggests the discrepancy may have resulted from two… pic.twitter.com/ttbZwv5zEt
— BlockSec Phalcon (@Phalcon_xyz) January 13, 2026

Incident Overview

According to on-chain analysis by BlockSec and other security teams, the incident originated from a large asset rebalancing operation executed by the Yo Vault operator (or automated keeper) of YO Protocol: exchanging about $3.84 million worth of stkGHO for USDC. This transaction was originally supposed to find the best route via an aggregator, but was instead directed to a liquidity pool on Uniswap v4 with extremely thin liquidity, high fees (or using custom hooks).

Due to abnormal routing choices, combined with the initiator possibly setting an excessively high slippage tolerance (or no protection at all), extreme price impacts and large fee extraction occurred. Ultimately, most of the value was captured by liquidity providers (LPs) in that Uniswap v4 pool, leaving only about $11,200–$12,200 USDC back in the protocol.

YO Protocol Team’s Rapid Response

After the incident, the YO Protocol team quickly implemented remedial measures within a few hours:

• Recovered approximately $3.71 million worth of GHO using a MEV-protected CoW Swap aggregator.
• Re-deposited the equivalent stkGHO into the vault to restore liquidity.
• Temporarily paused the YoUSD market on Pendle, to be reopened after replenishment.

Additionally, the team left messages on-chain proposing a cooperation plan with LPs who captured profits: suggesting LPs retain 10% as a bug bounty, and the rest be amicably returned, aiming to resolve the dispute privately.

Root Cause Summary

This incident was not due to a vulnerability in the YO Protocol smart contracts themselves, but a typical operational risk amplified by the unique features of Uniswap v4. Key factors include:

• Routing errors by automated scripts or aggregators, mistakenly entering extremely configured v4 pools (narrow liquidity ranges + custom hooks that may cause dynamic high fees or price manipulation).
• Lack of sufficient protective mechanisms, such as whitelisted pools, enforced slippage limits, or price impact checks.
• Since its launch in 2025, Uniswap v4’s hook mechanism has brought high innovation but also potential risks like “slippage bombs,” especially dangerous for large trades.

Multiple security teams agree that this was an “operational mistake magnified” event rather than malicious attack, serving as a warning that DeFi protocols must significantly strengthen safety measures during automated large-volume operations.