$157 000 USD

APRIL 2024

GLOBAL

YIEDL.AI

DESCRIPTION OF EVENTS

"YIEDL is a service that allows users to invest their on-chain assets in a portfolio of crypto-assets generated from crowd-sourced machine-learning forecasts."

 

"Invest SMARTER, not HARDER Discover YIEDL and elevate your portfolio. Trade next-gen AI-powered vaults, built for you by a community of +500 data scientists"

 

"We gathered the best Data Scientists ​in the world to build for you the best ​AI-powered portfolios" "1-click solution to Join the Web3 ​revolution. Mint, or trade Vault shares ​directly from your wallet" "“Not your keys, not your coins.” ​Funds are user-controlled, ​eliminating third-party fraud risk"

 

"We detected potential suspicious activity related to Y-BULL (Yiedl BULL)."

 

"According to intelligence from the SlowMist Security Team, the YIEDL project on the BSC chain was attacked, with the attacker stealing approximately $300,000. In this incident, the reason lies in the contract’s failure to adequately validate the external parameter(dataList) provided by the user during the processing of the redeem function call. This parameter is critical data for controlling asset exchanges, typically containing specific transaction instructions or routing information. The attacker maliciously constructed this external parameter, enabling unauthorized asset transfers."

 

"The vulnerable and exploited Y-BULL (Yiedl BULL) contract has a redeem function that allows users to exchange a specific number of shares they hold in an asset pool for a certain asset."

 

"The dataList parameter is used to make external calls to control asset exchange with information relating to transactions or other routing details. Due to a lack of validation in this parameter, the attacker was able to inject payloads that led to unintentioned interactions with the router contracts, leading to unauthorized asset transfers."

 

"The attacker repeatedly invoked a call to this redeem function, passing the `sharesToRedeem` parameter as zero."

 

"Hello Yiedl community, as you already know, a few days ago we suffered a hard blow on the BSC Y-BULL vault.

 

1. Fortunately, the funds involved in the hack are not funds belonging to community users but are company funds.

 

2. Funds held in other vaults (UP<DOWN, NEUTRAL) were not affected by this incident and are safe.

 

3. Meanwhile, investigations are still ongoing (internal and with the relevant authorities) and we will publish an incident report as soon as possible. Together with our partners we are trying to shed light on the responsibilities of all the actors involved (external auditor, internal team, end users) and we will share everything with maximum transparency.

 

4. As far as the project is concerned, everything remains unchanged. The competition continues without interruption"

 

Explore This Case Further On Our Wiki

Yiedl.ai is a platform offering access to different yield strategies, prepared by a competing council of data scientists. The platform initiatied a Y-BULL strategy, which had a vulnerability in the redeem function, allowing an attacker to exploit $157k from the smart contract. The lost funds are reportedly all company funds of Yiedl.ai, and not user funds. The protocol acknowledged the attack on Twitter and claims their launch plans are not impacted.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2025 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.