Rebase Bug Permanently Breaks Yam Governance

Published at: Aug. 13, 2020

A bug in the hastily-developed contracts for Yam Finance resulted in the governance contracts being “permanently broken” and $750,000 worth of Curve tokens locked from use.

Andre Cronje, DeFi developer and founder of the yEarn protocol, told Cointelegraph that this resulted from a bugged rebase function.

Yam is supposed to be a stablecoin with a similar mechanism to Ampleforth, with the contracts creating or destroying supply based on the token’s price to maintain a $1 peg.

Cronje said that a bug in the rebase function meant that each call after the first one would “exponentially increase [supply] every time by 10^1e18.” 

This results in a massive influx of new tokens, far more than there should have been.

But there were three parts to the bug, according to Cronje. The issue was compounded by an additional mechanism used by Yam to balance the token’s price. The rebase function also sells “into the yCRV/YAM pool up to a max of 10% slippage,” he said, to ensure that the price reflects the updated supply. The proceeds from the sale and remaining YAM are sent into the project’s treasury contract.

A further aspect of the system is its governance, which requires a percentage of all tokens to be committed to a proposal for 12.5 hours. While there were earlier concerns about not enough tokens being delegated, triggering a support campaign to get holders to vote, this was ultimately futile.

Since the rebase created a huge amount of new YAM and sent it to the treasury contract, it now holds the vast majority of all tokens. “This means the available YAM on the market aren't enough to reach quorum,” said Cronje.

The result is that both the governance and the treasury are now “bricked” and cannot be accessed. The rebase bug cannot be fixed without access to governance, so this should in theory spell the death of the project — or at least its existing smart contracts and tokens.

Tags
Technology
Defi
Security
Related Posts
The remaining steps to mainstream institutional investment
It has been said that you only get one chance to make a first impression. Perhaps the best example of this old adage is the cryptocurrency space. From exit scams and money laundering, to unaudited code and high carbon footprints, the crypto landscape has spent the better part of the past decade scrubbing itself of its infamous past. For many, the sanitizing of the decentralized ecosystem was inevitable — simply a matter of when, not if. This mindset hindered the sense of urgency that should have been on display and may have ultimately contributed to the skepticism exhibited by mainstream …
Adoption / May 29, 2021
Venture Firm Proposes 'DeRisking as a Service' for Safe DeFi Launches
Ken Deeter, a partner at crypto venture firm, Electric Capital, proposed a pragmatic approach to ensure decentralized finance, or DeFi, projects are not exploited due to bugs in the system. In an article published on May 27 through the Electric Capital blog, Deeter calls for DeFi projects to introduce “better risk management.” This largely comes as a response to the many hacks and protocol failures that occurred in recent months, like the temporary theft of $25 million from the dForce protocol. Deeter believes that DeFi should adopt some of the established techniques in the tech industry, which makes heavy use …
Technology / May 27, 2020
ZenGo Warns of Major Security Flaw Among DApp Wallets
Cryptocurrency wallet provider ZenGo has built a testnet to demonstrate a major security flaw prevalent among decentralized application (DApp) wallets. On March 23, ZenGo published an article highlighting that, when authorizing a specific transaction, many DApp wallets actually grant access over all of that particular token stored in the connected wallet: “As a result, if the DApp is vulnerable to a security issue or is rogue to begin with, attackers can abuse these highly excessive privileges to steal ALL of the DApp’s users holdings (in the approved tokens) without any further user consent. They can do so at any point …
Technology / March 24, 2020
Security and interoperability, the challenges ahead of Web3 mass adoption
By 2030, Web3 is expected to reach a market size of $81.5 billion, according to Emergen Research, but the industry still has challenges to overcome, including security and interoperability, said players interviewed by Cointelegraph. Interoperability, in short, provides communication between blockchains, aiming to offer a similar experience to users as Web2, hiding infrastructure complexity away and ensuring they don't have to know what solution is powering the mobile app they use, explained Derek Yoo, CEO of PureStake, a development team for the layer-1 blockchain Moonbeam. However, interoperability also brings more moving parts to any system, and security is one of …
Adoption / Oct. 6, 2022
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023