YIP-90: yETH Optimistic Recovery Plan

Author: 0xPickles

tl;dr

• Zero Principal Spend: No Treasury principal is spent or distributed. Treasury principal is never impaired and remains fully owned by Yearn.
• Balance Sheet Neutral & Runway Safe: Treasury deploys its existing ETH holdings (currently ~1,600 ETH) toward recovery. No new ETH is purchased, exposure remains unchanged, and funds remain fully unwindable via governance.
• Immediate Recovery Boost: Treasury forfeits its own ~334 ETH ($1M) recovery claim, instantly boosting the user recovery floor from ~25% to ~30.38%.
• Shared Investment: stYFI holders opt-in to contribute 10% of protocol revenue temporarily, accelerating recovery and increasing stYFI’s long-term value flow.
• Voluntary: Users opt-in voluntarily and can exit at any time. Early exits reduce the liability and speed up recovery for those who stay.
• No Solvency Risk: This proposal does not impact Yearn solvency risk.

1. Summary

This proposal establishes a voluntary, DAO-wide recovery mechanism for users affected by the yETH exploit. It combines the strength of the Yearn Treasury’s balance sheet with the cashflow power of stYFI token holders to provide a credible path to 100% recovery without spending Treasury principal.

This represents a Unified Framework where every stakeholder contributes proportionally in the recovery:

1. The Treasury provides the capital base (principal protected).
2. stYFI Holders provide the revenue stream (accelerant).
3. Users provide the time and patience.

1.1 Status

Discussion
This proposal is in the discussion phase. As per YIP-55, it will remain here for at least 3 days with a non-binding forum poll. If sentiment is positive, it can move to Snapshot for a binding vote.

2. Abstract

If adopted, this proposal will:

• Authorize the deployment of the yETH Recovery Vault.
• Allocate the Treasury’s existing ETH holdings (~1600 ETH) toward recovery, with the intent to match net user losses over time through yield, recovered assets, early exits, and protocol revenue redirection. The principal remains under yChad multisig custody.
• Authorize the forfeiture of the Treasury’s claim on recovered assets (~334.7 ETH), redistributing it to users to boost the immediate recovery floor.
• Implement a temporary Protocol Revenue Redirection: adjusting the revenue split to 80% stYFI / 10% Treasury / 10% Recovery until the debt is paid.
• Establish a 90-day opt-in process for users to claim their recovery tokens.
• Delegate strategy management to the Yearn Curation / SAM team.

3. Background

On Ethereum block 23,914,086, the yETH weighted stableswap pool was exploited due to a vulnerability in the invariant solver logic.[1] With the rapid assistance and collaboration by the Dinero and Plume teams, Yearn contributors were able to successfully recover approximately 857 pxETH (~25% of the total loss).

YIP-72 §8[2] explicitly protects the protocol from being required to reimburse users. This clause was designed for existential-scale scenarios where reimbursement would threaten the protocol’s survival. However, this incident is not existential. The scale of the net deficit is within Yearn’s capacity to address through a coordinated, DAO-wide response, without spending Treasury principal or drawing down Treasury assets.

While Yearn is not obligated to act, this proposal posits that user trust is a strategic imperative. Future growth relies on the market knowing that Yearn aligns with its depositors. Unlike an external downstream failure (e.g., an LST in yETH de-pegging or being hacked), this issue originated within the yETH protocol logic itself. Consistent with previous responses to the yvDAI incident[3] and the Resupply incident[4], this proposal offers a recovery path that supports our users, protecting the “security-first” premium of the brand, without crossing the line into a principal-spending bailout.

3.1 Loss Breakdown (Summary Table)

4. Strategic Rationale

4.1 Why this is NOT a Bailout

This is a mechanism, not a bailout. The Treasury does not distribute funds; it simply allows its capital to generate yield for users. The protocol offers the engine; users choose their recovery timeline.

• Users who want immediate certainty can exit around 30.38% of their pre-hack position.
• Users who want full recovery stay and earn yield over time, paying with Time and Opportunity Cost.
• Treasury pays with Yield (opportunity cost), not Principal.
• Protocol gains by converting a liability into fee-generating TVL.

4.2 Positive Game Theory Mechanics

This structure creates a “Dissolving Debt Pool” with a self-reinforcing flywheel:

• Users can exit immediately with ~30.38% of assets.
• When users exit, the total debt liability decreases, but the Treasury’s yield-bearing capital remains.
• As a result, the Capital-to-Debt ratio improves, and the recovery timeline for remaining users accelerates.

This transforms a static deficit into a dynamic, self-healing system where rational early exits enhance the recovery prospects for those who stay.

4.3 Why Treasury Guardians Should Support This

This proposal does not lock the runway.

• Market Exposure Neutrality: The Treasury is already long ETH in Yearn vaults. Whether these vault tokens sit in Treasury or in a controlled recovery vault, market exposure is identical.
• Liquidity Flexibility: If Yearn ever faces operational or runway needs, governance can unwind the position or parts of it as needed and return Treasury capital. This ensures the deposit never becomes a hard commitment and cannot threaten protocol solvency.

4.4 Why stYFI Holders Should Support This

The temporary 10% redirection is a capital investment into Yearn’s trust premium, to directly increase future stYFI revenue.

• Capital Recirculation: The 10% redirected revenue is recycled through Yearn strategies, generating performance fees that flow back to stYFI. stYFI holders temporarily give up yield to grow future revenue.
• Positive ROI: This turns a reputational hit into a credibility boost. Depositors gain confidence that Yearn stands behind them, a signal to support future TVL growth.
• Temporary: This redirection is explicitly temporary and self-terminating: once users are made whole (SharePrice = 1.0), the full 90% revenue share automatically reverts to stYFI.

4.5 Long-term Benefits to Yearn

1. Revenue Growth: Restoring trust accelerates TVL recovery, increasing protocol revenue long-term.
2. Brand Premium: Reinforces Yearn as a security-first protocol, justifying its premium position versus competitors.
3. Governance Defense: Pre-empts potential governance proposals that could force less capital-efficient bailouts or recoveries.

4.6 Scope Definition

Out of Scope: This framework applies only to the yETH exploit. It does not create any precedent or expectation of recovery for prior or future incidents on unrelated products (e.g., external integrations). It should not be interpreted as a standing commitment for future incidents.

5. Mechanics & Specification

5.0 Immediate Post-Approval Actions

To avoid unnecessary delays and begin recovery as early as possible, the following actions will occur immediately upon proposal approval:

1. Recovered Asset Withdrawal: All recovered apxETH will be processed through the Beacon Chain withdrawal queue as soon as technically possible.
2. Treasury Earmarking: The Treasury’s ETH allocation for recovery will be explicitly earmarked at approval, even prior to Recovery Vault deployment.
3. Early Yield Accrual: Once withdrawn, recovered ETH and earmarked Treasury ETH may begin generating yield for the benefit of users under existing Treasury controls.
4. Vault Migration: Once the yETH Recovery Vault is deployed, all earmarked assets will be migrated into the vault, preserving continuity of yield.

5.1 Treasury Allocation & Principal Protection

1. Capital Match: The Treasury allocates its existing ETH holdings toward the recovery mechanism. At the time of proposal, this represents approximately ~1,600 ETH. No new ETH is purchased for this purpose.
2. Principal Preservation: This allocation is a deposit, not a payment. The Treasury retains full claim to all allocated principal, under the ultimate control of the yChad multisig, until users are made whole or governance elects to unwind the position.
3. Liquidity Escape Hatch: This allocation remains callable. If the DAO faces a liquidity crisis, a governance proposal may be passed to withdraw the Treasury’s principal.

5.2 Treasury Forfeiture (The Boost)

4. Claim Forfeiture: The Treasury forfeits its claim on the recovered assets (~334.7 ETH).
5. Effect: This effectively makes the Treasury the First-Loss Tranche, immediately boosting the user recovery floor to ~30.38% (roughly $1M in value transferred). This incentivizes early exits.

5.3 Protocol Revenue Redirection

6. New Split: The revenue split[5] is temporarily adjusted to: 80% stYFI / 10% Treasury / 10% Recovery.
7. Cadence: The revenue redirection follows the existing YIP-88 accounting cadence. Revenues continue to accrue to the Treasury and are distributed once stYFI emissions are live, and continues to be in line with the stYFI distribution model thereafter.
8. Duration: This split remains active until users are made whole (SharePrice = 1.0), at which point the 10% reverts to stYFI holders.
9. Yield Backstop: For the purpose of the veYFI yield backstop calculations established in YIP-88[6], the 10% revenue redirected to the Recovery Vault will be treated as revenue distributed to stYFI. This ensures stYFI holders do not lose eligibility for any future backstop adjustments while the temporary redirection is active.
10. Optionality: Like the Treasury capital, this redirection can be modified or ceased via governance if protocol needs change.

5.4 Vault Logic & Exit

11. Tokenization: Users receive a transferable ERC-20 token, representing their pro-rata share of the recovery, that can be bought and sold on AMMs.
12. Yield: 100% of yield (from Treasury deposit, recovered funds, and redirected revenue) flows to recovery token holders. The Recovery Vault itself charges no fees; only underlying strategies charge their standard performance/management fees (which flow to stYFI).
13. User Exit: Users remain in full control. They may burn their tokens at any time to withdraw their share of the underlying assets (SharePrice * Amount).
14. Treasury Exit: The Treasury withdraws its principal once users are made whole (SharePrice = 1.0) or via the Escape Hatch.

5.5 Snapshot & Integrator Claims

15. Snapshot Block: Eligibility is based on yETH and st-yETH balances at the block immediately preceding the exploit (23914085).
16. Holder-is-Owner: Claims are attributed to the address holding the tokens at the snapshot. For integrators and lending markets, the protocol contract is treated as the owner; they are responsible for downstream distributions. This ensures Yearn does not mediate internal accounting among third-party lenders and borrowers; integrators must resolve these allocations according to their own governance.
17. Verification Window: A review period (7 days) will allow integrators to coordinate appropriate claim addresses via making public Pull Requests to the snapshot repo before distribution begins.
18. Passthrough Expectations: For integrator-held positions, the intent of this framework is that recovery value ultimately accrues to the underlying economic beneficiaries. Integrators claiming recovery tokens are therefore encouraged to publicly disclose their passthrough methodology and timelines, and to distribute recovery principal and accrued yield on a pro-rata basis according to their own governance and accounting processes. Yearn contributors do not adjudicate downstream claims but will make reasonable efforts to provide technical assistance and coordination to integrators implementing such distributions.

5.6 Opt-In Process

19. Claim Window: A Merkle Distributor will be deployed with a 90-day claim window.
20. Active Yield: Unclaimed funds remain in the pool during the window and generate yield, benefitting active participants.
21. Late Claims: Users claiming after the window must submit a manual request. They will receive their portion of the recovered principal only (no accrued yield).

5.7 Yield Strategy

22. Delegation: The Yearn Curation / SAM team is authorized to manage the underlying yield strategies.
23. Mandate: Provide the best risk-adjusted yield without exposing Treasury capital to excessive risk.
24. Transparency: Strategy allocations and changes will be announced to contributors for monitoring.
25. Candidates: Yearn-Curated Morpho vaults, yvWETH-1 (V3), or diversified ETH-native baskets.

6. Financial Impact

This proposal requires no expenditure of Treasury principal. The costs are solely the opportunity cost of yield on the matched ETH and a temporary investment of stYFI revenue.

In exchange, the protocol resolves a major incident, preserves its reputation, and demonstrates a unified front where all stakeholders contribute to the solution.

7. Vote

This poll is for non-binding sentiment gauging. The final, binding vote will occur on Snapshot.

Non-binding signaling poll

References

1. Incident Disclosure: yearn-security/disclosures/2025-12-01.md at master · yearn/yearn-security · GitHub
2. YIP-72 §8: YIP-72: Launch yETH
3. yvDAI incident: yearn-security/disclosures/2021-02-04.md at master · yearn/yearn-security · GitHub
4. YIP-86: https://gov.yearn.fi/t/yip-86-resupply-bad-debt-repayment-loan/
5. YIP-88 Revenue split: YIP-88: Governance Overhaul: ⓶ stYFI
6. YIP-88 Yield backstop: YIP-88: Governance Overhaul: ⓶ stYFI

Changelog

• Dec 11, 2025: First draft
• Dec 13, 2025: Added section 5.0, updated loss breakdown and treasury amounts
• Dec 15, 2025: Added point 5.18, Passtrough Expectations
• Dec 16, 2026: Assigned YIP-90

Disclosure & Context

• I am a contributor and co-creator of the yETH protocol.
• I was also a yETH depositor and was personally affected by the incident.
• This proposal is authored by me as an individual, not as a representation of contributor consensus.

Yearn contributors have debated the path forward extensively. Internal views differ, ranging from strict non-intervention to more aggressive use of protocol resources. The absence of a singular internal consensus confirms that formal governance is the appropriate venue for this decision.

This proposal reflects and synthesizes the most constructive elements of those internal discussions. It aims to present a disciplined, capital-efficient mechanism for governance to evaluate: One that balances the interests of affected users, token holders, the Treasury, and contributors, while at the same time prioritizing Yearn’s long-term value creation and growth prospects.

Ultimately, the decision on how best to proceed belongs to the DAO.

After reviewing the proposal and running some simulations, I believe some improvements are needed to make the plan more balanced for affected users.

1. In the worst-case scenario (very few exits), full recovery takes more than 20 years.
   Remaining deficit ≈1,965 ETH and annual inflow ≈95 ETH → ~20.6 years. This should be stated clearly so users understand the lower bound.

2. Recovery only becomes reasonable if most users exit early. With 50–70% initial exits and 5–10% yearly exits, recovery shortens to 5–10 years, but this is not guaranteed. The plan should not rely mainly on user loss-taking to work.

3. Yearn’s financial contribution (3% APY on 1,600 ETH + 10% temporary revenue share) is small relative to the size of the loss. Since this incident came from a protocol-level issue, it would be fair for Yearn to support recovery more meaningfully.

4. A modest treasury addition could help without risking Yearn’s long-term finances.

5. A revenue “surplus sharing” mechanism could also help: if protocol revenue exceeds a historical average, a small portion (e.g., 15–20%) could temporarily go to the recovery vault. This improves timelines without committing fixed treasury funds.

6. Clearer exit mechanics would help users understand how the system works and how timelines change depending on exit behavior.

Please note that the calculations i did are approximate. Given this, it may be safer to avoid overly optimistic expectations about exits, revenue, or timelines, especially considering how quickly conditions change in the crypto space.

Thanks for running these simulations, it is exactly the kind of scrutiny this proposal needs.

You are correct that a fully static model (assuming zero exits, flat yield, and no secondary market) implies a long recovery tail. However, that “worst-case” framing does not reflect the dynamic incentives built into the mechanism.

1. Dynamic Variables vs. Static Math
If we assume ETH yield is more or less constant, the actual recovery timeline is driven by three interacting variables: early exit rates, ETH price action, and protocol revenue. These variables are reflexive. For example, if ETH price rises, the USD value of the immediate ~30% recovery floor increases, incentivizing additional exits. Each exit reduces total outstanding liability while Treasury capital remains constant, mathematically accelerating the recovery for those who remain.

2. Secondary Market Price Discovery
Static models miss the most important variable: liquidity.
Because recovery positions are represented by a tradeable ERC-20 token backed by “sticky” Treasury capital, a market price will form between the floor (~30%) and par (100%). Users are not forced to wait decades; they can exit at a market-determined value at any point. Rational buyers are expected to price the token based on forward yield and recovery velocity, providing an additional exit path for users who prefer liquidity over duration.

3. The Treasury’s Contribution
With respect to Yearn’s financial support: the Treasury is forfeiting its own recovery claim of ~334 WETH (~$1M). This is an immediate, realized loss borne by the protocol to raise the user recovery floor on day one. It is a material contribution and represents the largest direct principal concession the Treasury can make without compromising strategic reserves.

4. The Core Constraint
Suggestions such as additional Treasury contributions or variable “surplus sharing” are understandable, but they cross the core invariant of this design: balance sheet neutrality.
This proposal is intentionally engineered to deliver the maximum level of assistance possible without spending Treasury principal or creating open-ended liabilities. A flat 10% revenue share was selected over variable surplus models specifically for predictability, governance clarity, and auditability.

The proposal optimizes for resilience and optionality, ensuring that Yearn remains strong enough throughout to generate the yield and growth that ultimately powers the recovery.

Something not clear for me:

Where is the ~334.7 ETH that the treasury is forfeiting coming from, is it from their own deposits/LP positions that were drained in the yETH pool during the exploit, or is it a proposed recovery fee/share for the work done in recovering the 857 ETH from the attacker?

Reference of deposit:

Correct

Absolutely not

Hello everyone. I’ll preface my message with my relevant disclosures, which are that I am not a YFI holder and I was a depositor in the yETH/wETH LP pool.

Firstly, I am glad to see some material discussion about restitution for those affected by the yETH exploit. This has been challenging for all involved, I’m sure. Thank you to 0xPickles for his work on this proposal. I have a few concerns I’d like to discuss

It seems, based on what 0xPickles has said above, that there is some sentiment among YFI holders that a possible route forward is no assistance at all for those affected by the exploit. Frankly, this is unconscionable and I’m actually floored that this is even being considered. This wasn’t some other DeFi protocol that Yearn was using in one of its strategies; this isn’t some junior DeFi protocol that is in its infancy and suffered a major exploit worth more than the protocol itself. yETH was a core product of Yearn. There was absolutely no decision or action on the part of the yETH depositors that led to this exploit. Yearn advertised itself as ‘The Best Risk-Adjusted Yield in DeFi’. Certainly Yearn does not offer the highest yields anymore, but I chose to deposit my money with Yearn because I trusted the team that has been around the longest, and because I trusted them to do the best they could with yield while keeping the money safe. Yearn’s entire brand is about trust at this point. If I wanted higher yields and were able to tolerate higher risk I’d deposit with beefy or any of the countless yield aggregator clones that have sprung up. The point I’m making is that the trust depositors have for Yearn is a big deal. If you think that it’s acceptable to offer no restitution whatsoever beyond the 25% of recovered funds via pxETH then I would argue this would be the beginning of the end for Yearn. I would recommend you go ahead and shut the protocol down and distribute the treasury to the YFI holders - because trust and Yearn’s reputation is the selling point of the protocol.

I think that some of the sentiments expressed in 0xPickles proposal make more sense when you think about them as a middle ground between many opposing views among the contributors. If you think that at least a modest restitution is the true bare minimum that can be done, I think we can reframe a few of the points.

1. I strongly disagree that the only way to be eligible for full restitution is to keep your money locked for an indeterminate length of time - on the order of years. I think that the pxETH recovered should be immediately distributed to every affected address, and in doing so no depositor should lose their claim to the rest of their deposit. I’m not even sure I understand the benefit of doing this - other than benefiting wealthy depositors who can afford to leave their money locked for longer. The value add seems to just be that ‘If you leave your money locked with Yearn, we’ll help you earn an additional 3% yield so we can pay you back your own money faster’ ? I propose that the recovered funds should be immediately offered to depositors with no stipulations on additional claims.
2. I recognize that some of the calculations mig performed may be inaccurate, but is it fair to say that we’re looking at 5-10 years before depositors are made whole? A keystone of this proposal relies on stYFI revenue sharing, which as I understand is not even developed or deployed yet, so it can’t be used for modeling the timeline. As 0xPickles noted, what is required from depositors is time and patience, but for the sake of argument let’s compare this to a traditional finance model. Essentially, Yearn has taken a loan from the depositors and would begin paying it back. This loan is set at 0% interest (because Yearn will only ever pay back the amount that the depositors held at the time of the exploit), and the loan duration is completely open ended (because value only accrues at the rate at which yield is earned). An open-ended loan at 0% interest is an extremely favorable condition for Yearn, and in fact ultimately the incentive is for Yearn to not pay back this loan (i.e. delay repayment for as long as possible). Another way to consider this situation is that in some exploits, the protocol would take a loan against its own treasury to repay depositors. In this circumstance, the exploited protocol pays interest on its loan, while the affected depositors are repaid immediately. My stance is that an open-ended, zero interest loan is not fair to the depositors. Perhaps options to take a loan against the value of the treasury could be explored, such that the ETH exposure and capital are ultimately not spent, but Yearn’s own yield goes to paying back its own loan, rather than the depositors over time. Another option if we’re going to keep the loan between Yearn and the affected depositors is that there could be a fixed repayment term - either fixed disbursements on a routine basis, or could be a slow disbursement over time based on earned yield, but after a time period of say (open to discussion) 5 years, if any remaining ETH is owed to depositors it would be then be paid directly by the treasury.

All of these points are open to further discussion. I welcome comments and critiques. Even though I am not a YFI holder I have been in the past and I care about the protocol. I do not advocate nuking the treasury for my own personal benefit at an existential risk to Yearn. I hope that through discussion we can find a mutually agreeable path forward that protects the reputation that has been painstakingly built over many years.

I still wouldn’t see this as a big concession. The proposal frames the forfait as a meaningful gesture, but essentially, it’s just formally renouncing the option for the team to auto-compensate themselves from the recovered funds, something that, in my view, would have been really damaging if they had done it without taking proper responsibility.

Personally, I do think Yearn could consider using a small portion of the stablecoin treasury to meaningfully increase the compensation offered, it would go a long way toward rebuilding trust. That said, 0xPickles definitely have the clearest view of the community’s mood and which proposal is most likely to pass

I agree with you on both points.

The recovered ETH should be distributed to depositors immediately without them forfeiting the claims on the rest of their deposits.

The point you make about Yearn taking out a 0% open-ended loan from the depositors is spot-on, as is the point about it creating an incentive for Yearn to not pay it back. Based on those issue, I agree that if we move forward with this proposal, it should be close-ended. If any remaining ETH is owed to depositors it could be paid with ETH from the Yearn Treasury, or perhaps Yearn could take out a loan for the remainder. Pay that to depositors and then pay off the loan with treasury yield.

This process could take 10–20 years and would significantly slow the growth and damage the credibility of Yearn Finance.

• Accelerate recovery by utilizing treasury yields from stablecoin positions.

• Accelerate recovery by distributing 50% of the capital allocated to the treasury to depositors, resulting in the following split: 80% to YFI stakers, 15% to depositors, and 5% to the foundation.

• Introduce a decaying YFI inflation schedule (10% → 7% → 5%) distributed to depositors to speed up recovery.

• Once deposits are fully backed, redirect 10% of protocol revenue toward YFI buybacks and burns to offset inflation.

• Some users held yETH and stETH in community pools, which resulted in significant impermanent loss (IL).
  Therefore, the snapshot must be adjusted to reflect corrected pool balances after losses are properly accounted for.

I’ll preface with the fact that I hold 1 veYFI and do not have any yETH.

I am generally in favor of a recovery plan. However, giving up 10% of the stYFI yield for several years does make me less interested in migrating to stYFI. How about, once everyone has been paid back, the recovery fund continues to hold treasury funds but with earnings redirected to stYFI to make up for the years of reduced yield?

Also, I think we should start building up a treasury amount that is specifically meant as an insurance fund (or cover, or whatever the lawyers want to call it).

Thank you Pickles. Could I clarify whether the debt would be denominated in ETH?

I am both a YFI and yETH holder. This seems to me a compromise position that represents responsible DAO governance.

Thank you for the feedback

Debt is denominated in ETH

Thank you @Mig @peanut @crypto-ali @Azimut @RedEmerald for taking the time to engage thoughtfully with this proposal. The range and depth of feedback reflects how tricky this situation is and how much is at stake for different stakeholders.

I thought it might be helpful to state the framing and constraints under which this proposal came to be.

This plan is intentionally a compromise. It does not maximize outcomes for any single group:

• Affected users understandably want faster, more certain recovery.
• stYFI / veYFI holders are concerned about yield dilution and long-term incentives.
• Treasury-focused participants are rightly wary of spending principal or setting open-ended precedents.
• Contributors are cautious about governance risk and Yearn’s long term sustainability.

That no group finds this proposal “perfect” is not accidental; it is a signal that the trade-offs are being shared rather than concentrated on any single one or faction.

On timelines and “worst-case” scenarios

Several comments correctly note that a fully static model (assuming minimal exits, flat yield, and no secondary market) produces a very long recovery tail. That is mathematically true, and also not the scenario the mechanism is designed around.

This system is deliberately dynamic, with three interacting variables:

• User exit behavior,
• ETH price and yield environment,
• Protocol revenue growth.

Importantly, recovery positions are represented by a tradeable ERC-20 token, backed by Treasury-matched capital. This allows price discovery and liquidity to form between the recovery floor and par value. Holders are not forced into multi-year lockups; they can exit at a market-determined price at any time. Static duration forecasts do not capture this optionality.

On Treasury’s contribution

It is reasonable to scrutinize the scale and nature of the Treasury’s participation. However, characterizing the Treasury’s forfeiture (~334 WETH / ~$1M) as “not a big concession” misunderstands the design constraints of this proposal.

Under a strict requirement of balance-sheet neutrality, the forfeiture is not incremental: it is the maximum irreversible principal loss the Treasury can absorb without spending assets, introducing leverage, or creating precedent. The correct comparison is not to the size of the exploit, but to the counterfactual: zero Treasury principal contribution

Any larger contribution necessarily requires one or more of the following: drawing down Treasury assets, issuing debt, inflating supply, or committing the protocol to open-ended guarantees. Each of these options introduces solvency risk or precedent and is therefore intentionally excluded.

The Treasury’s participation consists of two concrete actions:

• A direct forfeiture of its own claim (~334 WETH), which boosts the users’ recovery immediately on day one.
• The commitment of its ETH holdings to generate yield for users while retaining full governance control over that capital.

Taken together, this represents the maximum support possible within the chosen constraints. Proposals that go further are not disagreements about scale; they are disagreements about those constraints themselves.

The boundary is intentional.

On alternative mechanisms and suggestions

Many constructive ideas have been raised: fixed repayment horizons, surplus-based revenue sharing, insurance funds, treasury leverage, or inflationary recovery mechanisms.

These are not dismissed as invalid. They are simply out of scope for this proposal.

This YIP is designed to answer a specific question:

What is the most we can do for affected users without spending Treasury principal, creating open-ended liabilities, establishing protocol-wide recovery precedents, or materially impairing stYFI governance and Yearn’s future growth prospects?

Governance is free to explore additional or alternative mechanisms separately if it believes those trade-offs are preferable.

In closing

This proposal does not claim to be the ideal outcome for any one group. It is an attempt to offer a disciplined, capital-efficient path forward that users, token holders, contributors, and the Treasury can all plausibly live with, even if none get exactly what they would prefer in isolation.

Ultimately, this decision belongs to governance.

I appreciate the seriousness with which this discussion is being conducted and encourage voters to evaluate the proposal on its merits, its constraints, and the trade-offs it consciously accepts.

FYI proposal was updated with point 5.18 following feedback

Thanks for the feedback provided by those in this thread. I’ve noticed that there is a stark absence of comments from Yearn Contributors aside from 0xPickles. If this proposal is to serve as a compromise from multiple perspectives it would be helpful for the community to hear the concerns of those with YFI voting power, rather than silence.

In my opinion this proposal is unacceptable as it is currently written. The current proposal intends to use the recovered pxETH as part of the repayment to depositors. According to this comment

Under YIP-72, yETH is a self-governed, permissionless product whose treasury and accounting are controlled by its depositors, not the Yearn DAO or YFI token holders. This means:

• Contributors cannot unilaterally mint, reimburse, or modify user positions.

• Any action beyond distributing recovered funds requires community governance and must take into account the scale of losses and the product’s design.

We are evaluating all possible paths within these governance constraints and will communicate openly as options become clearer.

this suggests that the action to be taken with recovered assets is determined by yETH governance, and the default action will be to distribute recovered funds. As this proposal is currently written, the recovered funds are kept by Yearn and the yield from those assets are used to repay depositors. This is wrong. These funds belong to the depositors, and any yield generated by them should not be credited to Yearn for its repayment efforts. I propose the following Amendment A:

5.0 Immediate Post-Approval Actions

To avoid unnecessary delays and begin recovery as early as possible, the following actions will occur immediately upon proposal approval:

1. Recovered Asset Withdrawal: All recovered apxETH will be processed through the Beacon Chain withdrawal queue as soon as technically possible. The recovered apxETH will be immediately distributed pro-rata to the underlying economic beneficiaries.

2. Treasury Earmarking: The Treasury’s ETH allocation for recovery will be explicitly earmarked at approval, even prior to Recovery Vault deployment.

3. Early Yield Accrual: Once withdrawn, recovered ETH and Upon passage, Earmarked Treasury ETH may begin generating yield for the benefit of users under existing Treasury controls.

4. Vault Migration: Once the yETH Recovery Vault is deployed, all earmarked assets will be migrated into the vault, preserving continuity of yield.

This should not be controversial. The recovered funds do not belong to Yearn and shouldn’t be used as a carrot to encourage victims of the exploit to exit early.

Secondly, as mentioned above by 0xPickles, this proposal centers around a particular ideal:

Any larger contribution necessarily requires one or more of the following: drawing down Treasury assets, issuing debt, inflating supply, or committing the protocol to open-ended guarantees. Each of these options introduces solvency risk or precedent and is therefore intentionally excluded.

The Treasury’s participation consists of two concrete actions:

• A direct forfeiture of its own claim (~334 WETH), which boosts the users’ recovery immediately on day one.

• The commitment of its ETH holdings to generate yield for users while retaining full governance control over that capital.

Taken together, this represents the maximum support possible within the chosen constraints. Proposals that go further are not disagreements about scale; they are disagreements about those constraints themselves.

The boundary is intentional.

Within the above constraints, I still think this proposal heavily favors Yearn. The repayment period for this loss is indefinite, and due to the escape hatch at any point that YFI holders feel like they no longer wish to fulfill this obligation they can simply vote to remove their contributions. I propose two amendments to address this:

Amendment B:

5.1 Treasury Allocation & Principal Protection

1. Capital Match: The Treasury allocates its existing ETH holdings toward the recovery mechanism. At the time of proposal, this represents approximately ~1,600 ETH. No new ETH is purchased for this purpose. Any additional ETH earned by the treasury, unless earmarked for a specific and necessary budgetary purpose, should be allocated to the recovery vault, until users are made whole (SharePrice = 1.0), or Yearn governance closes the recovery vault.

Since Yearn will pay no interest on its debt to users, and this repayment period has no defined duration, this is intended to ensure that the Yearn treasury’s ETH is used to repay users, and encourages Yearn to fulfill its obligation before re-purposing its treasury for other ventures.

Amendment C:

5.1 Treasury Allocation & Principal Protection

1. Liquidity Escape Hatch: This allocation remains callable. If the DAO faces a liquidity crisis an existential threat to the health of the protocol, a governance proposal may be passed to withdraw the Treasury’s principal. This is a temporary measure until the crisis event has passed. At a frequency of no less often than every 90 (ninety) days the DAO will reassess if a crisis remains present. When the crisis is deemed to have passed, the treasury will again be allocated to the recovery vault to generate yield for the repayment of affected users.

This measure is to emphasize that this obligation to users is not optional. If the protocol faces an existential threat, then yes the treasury should go to the YFI holders first. However, the protocol should not be able to just disregard its obligations permanently to address a temporary problem.

I encourage participants in this discussion to comment on the merits or issues with each amendment individually.

Thank you for the continued engagement and for taking the time to write such a detailed response. I want to address a few recurring themes directly and clarify some important mechanics that may not have been fully clear.

On recovered assets and depositor rights

This proposal does not withhold, repurpose, or condition access to recovered assets.

In the absence of this proposal, affected users can claim their pro-rata share of recovered pxETH.
That baseline outcome remains fully intact.

Under this proposal:
• Users who do not opt in retain the exact same recovery path as the status quo.
• Users who do opt in gain access to additional, Treasury-funded upside.

There is no scenario under which a user is worse off because this proposal exists.

Put differently: the recovery framework is a free option for yETH holders, not a replacement of existing rights. Opting out preserves the status quo; opting in can only improve outcomes.

This is why the proposal does not require yETH governance approval to modify depositor outcomes: it does not modify them.

On the actual structure of the recovery mechanism

It may help to contrast the two scenarios explicitly.

Scenario A: This proposal

yETH holder at snapshot
│
├─ 1. Do not opt-in to recovery program → Claim recovered pxETH (~25%)
│
└─ 2. Opt in to recovery program
   ├─ 2.1 Exit immediately → pxETH + Treasury forfeiture (~30%)
   ├─ 2.2 Hold → pxETH + Treasury forfeiture + yield (>30%)
   └─ 2.3 Sell token → Market-priced liquidity (>30% if rational seller)

Scenario B: No proposal

yETH holder at snapshot
│
└─ 3. Claim recovered pxETH (~25%)

Scenario A strictly dominates Scenario B for yETH holders. It preserves the baseline outcome and adds optionality funded by Treasury yield and forfeiture, not depositor capital.

On Treasury obligations, duration, and the proposed amendments

The concern being raised here is essentially that this mechanism constitutes an “open-ended, zero-interest loan” from users to the protocol, and that governance could later disengage at will. That framing is understandable, but it rests on two assumptions that do not hold in this design.

First, this proposal does not create a debt obligation between users and Yearn.

There is no promise of repayment, no maturity date, no guaranteed yield, and no obligation enforceable against the Treasury. What exists instead is a voluntary yield participation mechanism funded by Treasury capital and protocol revenue, which users may opt into or exit at any time. This distinction matters.

Users are not lending assets to Yearn.
Yearn is not borrowing from users.
Governance is not assuming a liability it must later discharge.

What governance is authorizing is the deployment of Treasury assets to generate yield for the benefit of users, under revocable control. At no point does this create a balance-sheet liability or a claim senior to governance discretion.

Second, the notion that this “structurally favors Yearn” overlooks the asymmetry of risk being absorbed.

The Treasury is:
• Taking an immediate, irreversible principal loss via forfeiture,
• Committing ETH capital to user benefit rather than discretionary use,
• Accepting governance and reputational constraints that would not otherwise exist.

Users, meanwhile, retain full exit optionality at all times:
• They can exit immediately at the recovery floor,
• They can hold and earn yield,
• Or they can sell their position on a secondary market.

This is not an arrangement where users are trapped while the protocol benefits indefinitely. The dominant risk is borne by the Treasury’s opportunity cost and reputational exposure, not by depositor lock-in.

On Amendment B (mandatory allocation of future Treasury ETH)

The suggested requirement that all future Treasury ETH inflows be automatically routed to the recovery vault until full repayment would fundamentally change the nature of this proposal.

That amendment converts a voluntary, bounded support mechanism into a standing claim on Treasury capital, subordinated only to explicitly earmarked uses. In effect, it creates an open-ended obligation that constrains future governance decisions and capital allocation indefinitely.

This crosses the core boundary of the proposal.

The intent here is to make the maximum contribution possible without:
• Encumbering future Treasury inflows,
• Implicitly prioritizing one incident over all future protocol needs,
• Or creating a de facto debt instrument backed by the Treasury.

Once future ETH earnings are pre-committed in this way, balance-sheet neutrality is no longer preserved — governance optionality is impaired by design.

For that reason, Amendment B is incompatible with the stated constraints of this proposal and would require an entirely different recovery design.

On Amendment C (restricted escape hatch and re-commitment)

Similarly, narrowing the escape hatch to narrowly defined “existential threats” with mandatory periodic recommitments converts governance discretion into a quasi-contractual obligation.

That is intentional in the amendment — but it is precisely what this proposal avoids.

The escape hatch exists because Treasury capital must remain fully callable to preserve solvency, operational flexibility, and governance sovereignty. Conditioning or delaying that discretion undermines the premise that Treasury assets remain Treasury assets.

Importantly, the presence of an escape hatch does not nullify the recovery mechanism. It reflects the reality that all Treasury deployments are ultimately subject to governance reassessment as conditions evolve.

This is not a signal that support is optional or casual.
It is a signal that governance remains sovereign.

On “indefinite timelines” and incentives

Finally, the concern that Yearn would be incentivized to delay recovery ignores the mechanism’s structure.

The recovery position is:
• Tradeable,
• Market-priced,
• Backed by Treasury capital,
• And sensitive to yield dynamics and exits.

Governance does not benefit from prolonging recovery. On the contrary, extended recovery periods impose:
• Ongoing reputational drag,
• Governance overhead,
• And capital opportunity cost.

This is why the proposal optimizes for optionality and acceleration through exits, rather than fixed repayment promises that cannot be enforced without introducing insolvency risk.

In summary

Amendments B and C are not minor tuning adjustments. They represent a shift from:
• Voluntary support → Mandatory obligation,
• Yield participation → Treasury-backed debt,
• Governance discretion → Pre-committed capital flows.

Those may be reasonable preferences for some voters, but they are explicitly outside the design space of this proposal.

The proposal is intentionally bounded: it offers affected users a strictly better outcome than the status quo, while preserving Treasury solvency, governance flexibility, and long-term protocol viability.

Governance is, of course, free to reject these constraints and pursue a different approach. But doing so would be a conscious choice to accept materially different risks and precedents.

I encourage participants to evaluate the proposal on those terms.

I disagree with this statement. As written, the condition for access to the recovered assets is forfeiture of any additional recovery.

I did not argue that Scenario A is worse for yETH holders. I argued that Scenario C is strictly better for yETH holders, and does not deviate from the self-imposed restrictions of your proposal.

Let’s examine Scenario A more closely. Let’s assume a hypothetical yETH holder held ~4 yETH at the time of the exploit, and therefore ~1 pxETH was recovered on behalf of this user. Let’s say that they opt in to this recovery plan, and therefore their 1 pxETH will remain in the recovery vault instead of becoming liquid. After 1 year, assuming a staking return of 5% APY, their share of pxETH will have generated 0.05 ETH as yield. Under this proposal, Yearn takes credit for that 0.05 ETH of yield. This is 0.05 ETH less that Yearn will ultimately repay to this user. If, instead, the pxETH were returned to the wallet of this user, and generated that same 0.05 ETH of yield, that yield would still belong to the user, but the recovery vault would ultimately go on to accrue that 0.05 ETH for this user.

Let’s take this logic to an extreme with a hypothetical Scenario D:

1. The recovered pxETH is maintained as staked ETH on the behalf of the affected users. After around 30 or 40 years, this pxETH will have earned enough yield to compensate for the loss of funds.

In this case, the user’s own funds are used to compensate for their losses. This is (to a much smaller degree) being proposed with the current proposal.

Unrelated to the Yearn treasury or protocol, Scenario A uses game theory to indirectly benefit wealthy depositors at the expense of smaller ones. If User A had 5 ETH deposited in yETH and this constituted 100% of their net worth, they understandably may not be able to afford to leave that money locked for the entire duration of repayment. If User B had 5 ETH deposited in yETH, but otherwise had 95 ETH accessible, then they could much more easily afford to leave their recovered pxETH locked until repayment had concluded, and in doing so they benefit from the increased Capital ratio and therefore increased repayment speed.

I recommend that instead of considering this as a binary option between Scenario A and B, consider a third option that serves to benefit the majority of users and is of minimal detriment to the protocol.

Unrelated to the above discussion on Amendment A, I think that this proposal is unsatisfactory for depositors. A protocol that is the size and standing of Yearn should take a more firm commitment to its users than just a ‘We’ll repay you when we feel like it, maybe’. I will make modifications to your proposal and present it separately. Should that be done in this thread, or should I create a new one?

Thanks for the continued engagement. I want to clarify a key point, because several of the concerns raised stem from differing interpretations of how the recovery framework works.

This proposal does not condition access to recovered assets.

Recovered pxETH remains claimable by all affected users regardless of whether this proposal passes or whether a user opts in. That baseline outcome is unchanged.

What this proposal adds is optional upside:

• Users who do not opt in can claim their pro-rata recovered pxETH, exactly as in the status quo.
• Users who do opt in receive an immediate boost from Treasury forfeiture (~5%) and may exit immediately.
• Users who remain opted in can earn additional recovery over time via yield, alongside Treasury and stYFI participation.
• At any point, users may also exit via the market by selling the recovery token.

There is no scenario under which a user is worse off because this proposal exists. Opt-in is strictly voluntary, and non-participants retain their full baseline claim.

On the point about yield: no yield generated in the recovery mechanism accrues to Yearn, contributors, or the Treasury as income, profit, or retained assets. Yield is pooled solely to accelerate recovery for opt-in users. This is a cooperative mechanism, not a transfer of user value to the protocol.

More broadly, this proposal is intentionally bounded. It does not create repayment guarantees, fixed timelines, or Treasury-backed debt obligations. Those designs imply materially different risk and precedent, and are explicitly out of scope here.

The intent is simple: preserve the baseline recovery, add optional upside funded by Treasury yield and forfeiture, and let users choose the path that best fits their circumstances.

This is a strawman argument. At no point have I said that this proposal is worse than the baseline claim, which is only distribution of recovered assets. I have argued that this particular component of the proposal includes significant drawbacks for the majority of users that are not necessary for the recovery vault to function as intended. You have not addressed the points made about disparate benefits and reducing the final amount Yearn will repay to users, which suggests that you understand these points and their inclusion is both intentional and desired.

Regardless, this proposal has gone to a vote at this point despite vocal opposition. Perhaps I’m the only person who has these concerns. I recommend that YFI holders vote no on this proposal.

A brief summary of my concerns:

1. This proposal intentionally only allows access to recovered funds after victims forfeit all future repayment.
2. This proposal uses yield from recovered pxETH and counts that toward’s Yearns repayment, ultimately reducing the amount that Yearn will repay to affected users.
3. This proposal makes absolutely no commitment to its users that repayment will happen, leaving Yearn governance free to renege on this at any point and for any reason.

This proposal feels more like a press release that Yearn can use to say to the world “Look, we’ve made things right and are compensating users fully for the exploit!” and then after some period of time has passed and this event has faded from the news cycle, the repayment can be quietly ended after only a fraction has been returned to users. I hope I am wrong.