TL;DR
- Blockaid detected malicious Eleven drainer code on Yield Yak’s vote.yieldyak.com subdomain on June 24, 2026.
- No confirmed losses had been launched, however customers who related wallets or signed transactions on the affected subdomain could also be uncovered.
- The incident follows an identical Gitcoin subdomain compromise and suits a broader wave of front-end wallet-drainer assaults hitting DeFi platforms this 12 months, together with February and April campaigns throughout a number of main protocols and focused subdomains.
Yield Yak has grow to be the newest DeFi platform caught in a front-end wallet-drainer incident, after Blockaid detected malicious code on the mission’s voting subdomain on June 24, 2026. The compromised web page, vote.yieldyak.com, had been injected with the Eleven drainer script, a wallet-stealing software designed to push customers into approving hostile transactions after they join a pockets. The uncomfortable element is that the assault didn’t want to interrupt Yield Yak’s good contracts, as a result of the hazard sat on the web site layer the place customers start interacting with the protocol, trusting routine prompts and acquainted branding throughout DeFi visits.
🚨Blockaid’s system has recognized a front-end assault on yieldyak[.]com by @yieldyak_. The positioning’s subdomain – vote[.]yieldyak[.]com now incorporates code of 11 drainer.
This follows yesterday’s incident on @gitcoin which has operated in an identical approach pic.twitter.com/YFmWEYfa7D
— Blockaid (@blockaid_) June 24, 2026
The identified injury stays unsure. Neither Yield Yak nor Blockaid had launched confirmed loss figures at publication, and no public blockchain investigator had established the dimensions of any theft tied to the compromise. Nonetheless, absence of a determine doesn’t imply absence of danger. Entrance-end probes can take hours or days as groups map pockets interactions and establish malicious approvals. For customers, the publicity relies on whether or not they visited the compromised subdomain, related a pockets or signed a transaction whereas the malicious code was lively through the investigation window and earlier than public alerts unfold.
Subdomains Turn out to be the New Assault Floor
The incident seems to observe the identical playbook seen days earlier towards Gitcoin, the place Blockaid warned that information.gitcoin.co had additionally been compromised with Eleven drainer code. In each circumstances, attackers focused secondary subdomains reasonably than the principle utility interface. Yield Yak’s main product, an Avalanche-based auto-compounding yield farming protocol and decentralized alternate aggregator, continued to sit down aside from the voting web page. That distinction issues as a result of the breach focused person entry factors, not the underlying protocol, although anybody interacting by way of the poisoned web page might nonetheless face wallet-level losses earlier than remediation completed and approvals have been revoked.
The broader sample is tougher to dismiss. OpenEden, Curvance and Maple Finance all suffered front-end assaults in a single February week utilizing a unique toolkit known as AngelFerno, whereas April introduced much more aggressive drainer exercise after incidents involving Drift Protocol, KelpDAO and others. Blockaid described April 2026 because the worst month for crypto theft on document, with greater than $629 million drained throughout over 20 incidents. For now, Yield Yak customers face a well-known however pressing safety guidelines: keep away from affected pages, revoke suspicious approvals and monitor wallets for unauthorized transfers whereas groups assess publicity and cleanup progress.
