How One Line of Code Destroyed Yam DeFi

The now notorious project, Yam.Finance, was launched without a proper code audit just like many other projects in the space. Richard Ma, the CEO of blockchain security company Quantstamp, told Cointelegrpah that many DeFi projects are launched unaudited in order to capitalize on reverse psychology:

“Not having an audit is currently seen as a good way to use reverse-psychology to do marketing.” He added, “It creates the perception that these projects are so in-demand, and that you're getting in on it at the ground floor, before other people have heard of it.”

According to Ma, many popular projects like Yearn Finance, Cream and Yearn Finance II were launched in the same fashion. However, he notes that it does not necessarily mean that DeFi users need to be paranoid about these beloved projects; Ma noted that “the most danger lies in the early days.”

If a project survives its early growing pains, it “starts to accumulate many informal security reviews”. In the case of Yearn Finance, Quantstamp ended up performing a formal security audit later on. Yam was not fortunate enough to make it to that stage. Though Ma performed an unofficial audit of some of Yam’s smart contracts, he did not audit the one that led to the project’s failure. Examining the code, said that a single line of code doomed the Yam farmers

“totalSupply = initSupply.mul(yamsScalingFactor)”

This should have been followed by “div(BASE)”, in essence dividing the supply by a very large number — 10 followed by seventeen zeros. Without this divisor, the network was set to create “Zimbabwe style” inflation. According to Ma, there is no way of fixing this bug and as a result, approximately $750,000 worth of crypto is permanently locked.

Quanstamp’s CEO does not believe that the Yam debacle will break DeFi as “DeFi people have a way of being okay with volatility”. He also added that many crypto influencers invested in the now defunct project, noting that “So many influencers got into YAM - it's about 1/3rd of my twitter feed now”.

Yam.finance’s short-lived history is perhaps best summed up by the following chart: 

Source: CoinMarketCap.

Immunefi partners with Binance Smart Chain on bug bounties to secure BSC projects   July 9, 2021
PwC Switzerland Partners Smart Contract Auditing Team ChainSecurity   Jan. 12, 2020
An Ethereum 2.0 Proof-of-Stake Testnet Blockchain Is Now Live   May 8, 2019
Tron Discloses Critical Vulnerability Which Could Have Crashed Its Blockchain   May 6, 2019
Uniswap DAO debate shows devs still struggle to secure cross-chain bridges   Feb. 26, 2023