Yearn Finance

Stage 1
TVL $284M
yearn.fi
2026-01-28
Chains ethereum arbitrum optimism

Risk Assessment

Upgradeability
48h+ Timelock
Admin Control
DAO Governance
Fund Access
Restricted
Audits
Extensive
Oracle
Decentralized
Track Record
4+ years

Yearn Finance Risk Assessment

Overview

Yearn Finance is a yield aggregator protocol that automatically moves user funds between DeFi lending protocols and liquidity pools to maximize returns. Users deposit assets into Vaults, which execute strategies designed and managed by experienced strategists.

Yearn pioneered the yield aggregator model and introduced the ve-tokenomics concept that has been widely adopted across DeFi.

Smart Contract Risk

Contract Architecture (V3):

  • Modular ERC-4626 compliant vaults
  • Tokenized Strategies as standalone vaults
  • VaultFactory for trustless deployment
  • Periphery modules (Accountants, Debt Allocators)

Code Quality:

  • Audited by ChainSecurity and others
  • V3 emphasizes security best practices
  • Open source on GitHub
  • Bug bounty program active

December 2025 Incident:

  • $300K exploit on legacy iEarn TUSD contract (2,100 days old)
  • Active V2/V3 vaults ($560M TVL) unaffected
  • Demonstrates risk of legacy systems
  • Active vaults remain secure

Attack Surface:

  • Strategy risk varies by vault
  • External protocol dependencies
  • Strategist execution risk
  • Complex multi-protocol interactions

Admin/Governance Risk

Governance Structure:

  • YFI token for governance
  • September 2025: 90% protocol revenue to stakers
  • Direct staking replaced underused ve-model
  • Governance proposals via forum and voting

Role-Based Access:

  • role_manager controls vault configuration
  • EMERGENCY_MANAGER can shutdown vaults
  • DEBT_MANAGER handles allocations
  • Strategists manage specific strategies

Trust Assumptions:

  • Strategists are trusted to manage funds wisely
  • Governance can modify fee parameters
  • Emergency shutdown capability exists
  • Strategy risks vary widely

Oracle Risk

Strategy-Dependent:

  • Vaults inherit oracle needs from strategies
  • Most strategies use Chainlink indirectly
  • No single oracle dependency at protocol level
  • Risk varies by underlying protocols

Oracle Security:

  • Inherited from connected protocols
  • Strategy-specific configurations
  • Multiple oracle sources across strategies

Economic Risk

Liquidity Risk:

  • $560M+ TVL in active vaults
  • Deep liquidity in major vault tokens
  • Withdrawal based on strategy positions
  • Some vaults may have lock-up periods

Yield Dynamics:

  • Returns depend on DeFi market conditions
  • Strategist skill affects performance
  • Protocol fees reduced for stakers
  • Competitive with dedicated protocols

Operational History:

  • Launched July 2020
  • V2 launched January 2021
  • V3 launched 2023
  • Legacy contract exploit December 2025
  • Core vaults never exploited

Stage Assessment

Stage 1 Criteria Met:

  • Governance-controlled upgrades with delay
  • Decentralized YFI governance
  • User funds in non-custodial vaults
  • Multiple security audits
  • 4+ years operational track record

Why Not Stage 2:

  • Strategists have control over fund allocation
  • Governance can modify parameters
  • Strategy risks vary significantly
  • Legacy code still exists (being sunset)

Justification: Yearn achieves Stage 1 (Limited Trust) status due to its mature governance system, modular V3 architecture, and long operational history. While strategists have significant control over fund allocation, users can evaluate individual vault strategies before depositing. The December 2025 legacy exploit highlighted risks of old code but did not affect active vaults, demonstrating V2/V3 security. The protocol’s commitment to sunsetting legacy systems is positive.