Yield Yak Hit by Same Drainer Script Used Against Gitcoin

Published by James Harris on June 24, 2026June 24, 2026

Blockaid detected a front-end compromise on Yield Yak’s voting subdomain on June 24, 2026, with the same “Eleven drainer” wallet-draining script used three days earlier against a Gitcoin subdomain. No loss figures have been confirmed, but the two attacks were directly linked by Blockaid, and the absence of a number does not mean the damage was small.

Front-end attacks work by leaving smart contracts entirely untouched while poisoning the web layer users interact with. That distinction matters: anyone who held assets in Yield Yak’s auto-compounding vaults on Avalanche through the primary domain was not directly at risk, but anyone who navigated to vote.yieldyak.com and connected a wallet was exposed the moment they did so. The pattern here is disciplined. In both the Gitcoin and Yield Yak incidents, attackers targeted subdomains rather than core interfaces, lowering the chance of immediate detection while still capturing live wallet connections. Earlier this year, OpenEden, Curvance, and Maple Finance were all hit within a single week in February using a different toolkit called AngelFerno, confirming that multiple drainer operators are running coordinated or parallel campaigns against DeFi infrastructure.

Blockaid called April 2026 “the worst month for crypto theft on record,” citing over $629 million drained across more than 20 incidents, which makes June’s activity look less like a spike and more like a sustained operational tempo.

The broader implication is that front-end security has become the softest surface in DeFi, and drainer operators have industrialized the exploit cycle. After high-profile incidents in April, Blockaid documented attackers spinning up lookalike domains within hours to catch users searching for ways to revoke token approvals, which means the attack surface extends beyond the original compromise. For context, a Blockaid-monitored incident in May saw roughly $3.2 million taken from 86 Safe wallets through a third-party module vulnerability, and a separate exploit of liquidity provider TrustedVolumes produced $5.9 million in losses. Those figures arrived only after investigators mapped wallet interactions against the malicious code, which is exactly the process underway now for Yield Yak.

Anyone who connected a wallet to vote.yieldyak.com around June 24 should treat that wallet as potentially compromised and audit token approvals immediately. The final loss figure, when it arrives, will likely depend less on the sophistication of the attack than on how many users happened to visit a governance page on the wrong day.