YO Protocol has suffered a $3.7 million loss following a failed rebalancing transaction caused by extreme slippage parameters, according to on-chain data and post-incident analysis. The incident, which occurred on January 12, 2026, did not involve a hack or malicious exploit but was instead triggered by a misconfigured automated swap executed by the protocol’s own vault operator.
How a Routine Rebalance Turned Costly
The incident stemmed from a routine vault rebalance intended to swap approximately $3.71 million worth of stkGHO into USDC. The transaction was routed through the Odos aggregator and executed on Ethereum’s mainnet. However, abnormal routing parameters and an effectively disabled slippage check caused the swap to execute at a catastrophic rate.
On-chain data shows the transaction fragmented the stkGHO position across dozens of liquidity pools, including Uniswap V4, Uniswap V3, Curve, Balancer V3, Fluid, and Bancor. Several of the pools had extremely thin liquidity and unusually high fee tiers, some reaching as high as 88%. As a result, nearly 97% of the value was absorbed by liquidity providers.
The final output of the transaction delivered just $112,036 in USDC back to the vault, despite input assets valued at over $3.7 million.
Slippage Parameters Disabled Critical Safeguards
Security firms including BlockSec, PeckShield, and QuillAudits later confirmed that the root cause was a malformed output quote combined with abnormal executePath parameters. The slippage tolerance for the swap was set to an unusually high value, effectively allowing the transaction to execute regardless of price impact.
Rather than failing, the swap completed exactly as configured, routing funds through illiquid pools and extracting value at every hop. Analysts noted that the transaction technically succeeded, despite producing a devastating financial outcome.
Protocol Response and Damage Control
Within hours of the incident, YO Protocol’s multisig wallet replenished the vault by purchasing approximately $3.71 million worth of GHO via CoW Swap, an MEV-protected aggregator, and redepositing stkGHO. The Pendle yoUSD market was temporarily paused during the incident but later resumed normal operations.
The protocol also sent an on-chain message to liquidity providers who benefited from the transaction, proposing that they retain 10% of the proceeds as a bug bounty and return the remaining funds. At the time of writing, it remains unclear how much has been recovered.
YO Protocol later published a post-mortem confirming that the automated harvesting system responsible for the swap did not apply the same slippage guardrails used elsewhere in the protocol. While execution drift was monitored, the system failed to validate whether the initial quote was reasonable.
