TL;DR
- Blockaid detected malicious Eleven drainer code on Yield Yak’s vote.yieldyak.com subdomain on June 24, 2026.
- No confirmed losses had been released, but users who connected wallets or signed transactions on the affected subdomain may be exposed.
- The incident follows a similar Gitcoin subdomain compromise and fits a broader wave of front-end wallet-drainer attacks hitting DeFi platforms this year, including February and April campaigns across several major protocols and targeted subdomains.
Yield Yak has become the latest DeFi platform caught in a front-end wallet-drainer incident, after Blockaid detected malicious code on the project’s voting subdomain on June 24, 2026. The compromised page, vote.yieldyak.com, had been injected with the Eleven drainer script, a wallet-stealing tool designed to push users into approving hostile transactions when they connect a wallet. The uncomfortable detail is that the attack did not need to break Yield Yak’s smart contracts, because the danger sat at the website layer where users begin interacting with the protocol, trusting routine prompts and familiar branding during DeFi visits.
🚨Blockaid's system has identified a front-end attack on yieldyak[.]com by @yieldyak_. The site's subdomain – vote[.]yieldyak[.]com now contains code of eleven drainer.
This follows yesterday's incident on @gitcoin which has operated in a similar way pic.twitter.com/YFmWEYfa7D
— Blockaid (@blockaid_) June 24, 2026
The known damage remains uncertain. Neither Yield Yak nor Blockaid had released confirmed loss figures at publication, and no public blockchain investigator had established the scale of any theft tied to the compromise. Still, absence of a figure does not mean absence of risk. Front-end probes can take hours or days as teams map wallet interactions and identify malicious approvals. For users, the exposure depends on whether they visited the compromised subdomain, connected a wallet or signed a transaction while the malicious code was active during the investigation window and before public alerts spread.
Subdomains Become the New Attack Surface
The incident appears to follow the same playbook seen days earlier against Gitcoin, where Blockaid warned that files.gitcoin.co had also been compromised with Eleven drainer code. In both cases, attackers targeted secondary subdomains rather than the main application interface. Yield Yak’s primary product, an Avalanche-based auto-compounding yield farming protocol and decentralized exchange aggregator, continued to sit apart from the voting page. That distinction matters because the breach targeted user access points, not the underlying protocol, though anyone interacting through the poisoned page could still face wallet-level losses before remediation finished and approvals were revoked.
The broader pattern is harder to dismiss. OpenEden, Curvance and Maple Finance all suffered front-end attacks in one February week using a different toolkit called AngelFerno, while April brought even more aggressive drainer activity after incidents involving Drift Protocol, KelpDAO and others. Blockaid described April 2026 as the worst month for crypto theft on record, with more than $629 million drained across over 20 incidents. For now, Yield Yak users face a familiar but urgent security checklist: avoid affected pages, revoke suspicious approvals and monitor wallets for unauthorized transfers while teams assess exposure and cleanup progress.
