Yield Yak follows Gitcoin in latest wallet-drainer attack

Blockchain cybersecurity company Blockaid detected a front-end hack on the website of the decentralized finance (DeFi) yield-aggregating platform, Yield Yak, on June 24, 2026. According to Blockaid, the front-end of Yield Yak’s site had been compromised by malicious wallet-draining scripts. It marks the second time in days that an attack of this nature has taken place against a major crypto exchange platform and is the latest addition to the recent trend of front-end hacks targeting major crypto platforms.

According to Blockaid’s detection process, the subdomain vote.yieldyak.com had been compromised with code from a software called “Eleven drainer.” Wallet drainer is a type of malicious script that tricks users into sending their digital assets to an attacker through transactions approved by users. The malicious code forces approval of actions or sends assets to an attacker at the very instant when users connect their wallets, and often before they even know what they are up to. Neither Blockaid nor Yield Yak has provided information on the number of losses suffered due to the hack at the time of publishing.

Attacker uses a classic playbook

The hack at Yield Yak resembles the vulnerability spotted on Gitcoin, an open-source funding platform, just a few days ago. According to Blockaid on June 21, files.gitcoin.co, a Gitcoin sub-domain, had the same Eleven drainer code and warned people to stay away from the platform as it was being checked out. Blockaid directly associated the two hacks, noting that the attack at Yield Yak “follows yesterday’s incident on Gitcoin, which has operated in a similar way.”

In both instances, sub-domains were compromised instead of the core application interfaces. The core product of Yield Yak, an auto-compounding yield farming protocol on Avalanche, runs on the primary domain. The compromised voting subdomain seems like a secondary entry point, but anyone accessing it would have run the risk of having their wallet drained.

The lack of definite loss figures does not always mean minimal consequences. Front-end vulnerabilities usually go through a process of investigation for hours or even days when security teams identify interactions between wallets and check if users executed malicious transactions. In other drainer cases this year, losses ranged from several thousand dollars to millions of dollars based on the number of people connecting wallets until the malicious code was deleted. For example, in one of the Blockaid-monitored incidents, hackers took about $3.2 million from 86 Safe wallets using a third-party module vulnerability in May. The second example is the exploitation of liquidity provider TrustedVolumes that led to $5.9 million in losses.

Spike in front-end attacks

The mentioned Yield Yak and Gitcoin hacks are part of a larger trend that rattled the cryptocurrency community this year. The front-end attack, when an attacker exploits a website of a project without affecting smart contracts, has increased in frequency across major DeFi platforms.

Earlier in the year, OpenEden, Curvance, and Maple Finance all suffered front-end attacks in a single week in February. Those attacks used a different drainer toolkit called AngelFerno but followed the same method: gain access to a project’s web infrastructure, insert code that hijacks wallet connections, and wait for users to interact.

Blockaid documented an even more aggressive pattern in April 2026. Following high-profile exploits at Drift Protocol, KelpDAO, and other platforms, drainer operators spun up lookalike domains within hours to intercept panicked users searching for ways to revoke token approvals. The firm described April 2026 as “the worst month for crypto theft on record,” citing over $629 million drained across more than 20 incidents.

What Yield Yak users should know

Yield Yak is a DeFi protocol on Avalanche that auto-compounds yield farming rewards and operates a decentralized exchange aggregator, according to its listing on Alchemy. Users who deposited assets through the main platform’s smart contracts are not directly affected by a front-end compromise, since the underlying contracts remain unchanged. The risk applies to anyone who visited the compromised subdomain and connected a wallet or signed a transaction.

As of publication, neither Yield Yak nor Gitcoin had issued public statements on the status of remediation for their respective incidents. No security firm or blockchain investigator has publicly reported confirmed losses tied to the Yield Yak compromise, and there is currently no on-chain evidence indicating the scale of any potential theft. Blockaid advised users not to interact with the affected websites as the issue is being investigated and remediated.

Users who suspect they interacted with vote.yieldyak.com should revoke any token approvals granted during the session using a trusted tool and monitor their wallets for unauthorized transfers.

If you're reading this, you’re already ahead. Stay there with our newsletter.