Yearn Finance Liquidation Vulnerability: Difference between revisions

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Yearn Finance

Yearn Finance offers a large variety of tools, including a leveraged strategy referred to as "GenLevComp". That strategy, and a few others, had funds stored in smart contract hot wallets for leverage.

The funds were removed from the contracts into a safe vault, and the vulnerabilities were fixed. A bounty of $200k was paid.

This is a global/international case not involving a specific country. ^{[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]}

About Yearn Finance

"Yearn.finance is the brainchild of Andre Cronje. After leaving the iEarn project in February 2020, Cronje returned to oversee a rebirth, with new tools emerging and YFI going live in July." "Cronje has a long career in cryptocurrency and has become synonymous with DeFi in particular. He also has positions at smart contract ecosystem Fantom and CryptoBriefing, a resource dedicated to initial coin offerings (ICOs) and crypto media." "The prospect of what one observer called an "intuitive interface to all of DeFi" is what makes Yearn and its YFI coin stand out from the recent crop of "Weird DeFi" projects."

"Yearn.finance set out to simplify DeFi investment and activities such as yield farming for the broader investor sector" and "aspires to be the gateway to a bevy of yield-generating products in the Ethereum ecosystem." "Yearn.finance is an aggregator service for decentralized finance (DeFi) investors, using automation to allow them to maximize profits from yield farming. Its goal is to simplify the ever-expanding DeFi space for investors who are not technically minded or who wish to interact in a less committal manner than serious traders. Launched in February 2020, the service, formerly known as iEarn, has seen huge growth in recent months as new products debuted and developers released in-house token YFI."

"In its first month of operation, the yearn.finance platform attracted nearly $800 million in assets, making it one of the fastest-growing DeFi projects to date." "[A]ssets under total value locked [were] just over $1 billion as of the end of September 2020. The platform makes use of various bespoke tools to act as an aggregator for DeFi protocols such as Curve, Compound and Aave, bringing those who stake cryptocurrency the highest possible yield. New features continue to be rolled out, these aiming, among other things, to help preserve the long-term value of the platform." "But given that Yearn has several different elements, the platform is one of the harder ones for novice investors to understand. Some $650 million has poured into DeFi’s Yearn.Finance since mid-August. DeFi is driving most of the excitement in crypto right now, and Yearn and its YFI token are central to the latest buzz."

"yearn.finance is a group of protocols running on the Ethereum blockchain that allow users to optimize their earnings on crypto assets through lending and trading services." "The yearn.finance platform consists of several independent products, including APY – A data table that shows interest rates across different lending protocols. Earn – Which identifies the highest interest rates users can earn lending an asset. Vaults – A collection of investment strategies designed to generate the highest returns from other DeFi projects. Zap – Which bundles several trades in one click, saving on costs and labor. Users earn YFI tokens by locking cryptocurrencies in yearn.finance contracts running on the Balancer and Curve DeFi trading platforms, using the yearn.finance platform." "yearn.finance capitalizes on a practice commonly called “yield farming,” in which users lock up crypto assets in a DeFi protocol in order to earn more cryptocurrency. The more assets users lock in a platform, the more tokens they are awarded by the protocols."

"Yearn.finance makes a profit by charging withdrawal fees, currently 0.5% at the end of September 2020, as well as 5% gas subsidization fees. Due to its governance model, these can technically be changed by consensus at any time. The target market for yearn.finance is investors who do not have the time to study the increasingly complex DeFi phenomenon from scratch, or who wish to optimize their returns. Users of yearn.finance earn YFI through providing liquidity, while token holdings dictate governance privileges." "One of a number of emerging decentralized finance (DeFi) projects, yearn.finance provides its services using only code, removing the need for a financial intermediary like a bank or custodian. To do this, it has built a system of automated incentives around its YFI cryptocurrency."

"Yearn.finance users can face a high risk of losing money thanks to market conditions changing rapidly and opportunistic entities attempting to profit from less-experienced participants. Cronje himself has sought to maintain transparency about the platform’s provenance, noting that even after code audits, yearn.finance could not be guaranteed to be 100% safe — DeFi involves inherent risk."

"A blue-chip project, Yea[r]n had over $4 billion in total value locked (TVL), as of writing, down from more than $5 billion in mid-June, as per DeFi Llama. In Q2 2021, the project enjoyed a jump of 138% in its TVL while its revenue grew by 233% to 18.3 million from $5.5 million. Yearn’s active wallet addresses are also seeing an increase of 31% to 21.5k."

At "June 29, 2021, 19:20 (UTC)", a "security researcher, xyzaudits, contacts Yearn's security team through its vulnerability disclosure process about a possible exploit that can lead to significant loss of user funds." "[A]n attack vector in the GenLevComp strategy type that is in use in two strategies in the yvDAI 0.3.0 vault was disclosed through Yearn's security process."

The "vulnerability could have liquidated GenLevComp strategy debt position." "In this leverage strategy, DAI is borrowed and lent repeatedly on Compound in order to farm Comp tokens which makes use of dYdX for flash loans. If successfully exploited, the attacker would have been able to liquidate an affected strategy's entire debt position on Compound and potentially capture liquidation fees. This would have led to a “significant loss of user funds.”" "If successfully exploited, the attacker would have been able to liquidate an affected strategy's entire debt position on Compound and potentially capture liquidation fees."

"DAI GenLevComp[1], a.k.a StrategyGenericLevCompFarm, is a leveraged strategy that borrows and lends DAI repeatedly on Compound in order to farm Comp tokens. To get into this highly leveraged position it uses dYdX for flash loans."

"To receive the flashloan, dYdX sends DAI to GenLevComp and then calls the function callFunction. After the logic is complete, dYdX needs to receive back more DAI than was sent otherwise the transaction reverts."

"GenLevComp lends out the amount borrowed to Compound and borrows the repayAmount (calculated as amount+2) which it then returns to dYdX. The logic flow is that amount and repayAmount are passed to dYdX. dYdX send the DAI equivalent of amount to the contract and executes callFunction with input of amount and repayAmount. After callFunction dYdX pulls the repayAmount and verifies it has more funds than it started with."

"If GenLevComp does not receive the expected amount from the loan, or if callFunction is called by anyone other than dYdX's SOLO contract, or if dYdX does not receive its funds back, the transaction reverts. It was believed that the combination of these three safety features made the function safe."

"The security researcher was able to effectively initiate a flashLoan of 0 amount and inject their own value to repayAmount. Because of this there was no loan, so dYdX did not expect any repayment and therefore did not revert. dYdX SOLO contract still called the callFunction. And the function received the correct amount: zero. Bypassing the three safety checks."

"Then a loan of the injected repayAmount was taken out from Compound. By calculating an exact number the exploiter would be able to force the strategy to borrow right up until it was 1 block away from liquidation. On the next block, liquidators would be able to liquidate the strategy and claim liquidation fees. By repeating this process again and again an exploiter would be able to completely liquidate the contract."

“No funds were lost,” assured the team. "A check was added to callFunction to make sure that only itself could initiate the dYdX call. Thereby stopping a third party from being able to intiate the flash loan. The calculation for repayAmount was moved from function doDyDxFlashLoan to function callFunction. Thereby removing the opportunity to inject a false number."

"Yearn Finance awarded a maximum bounty of $200,000 to a security researcher xyzaudits after they revealed a vulnerability in the leveraged COMP farming strategies that have since been mitigated." "Yearn awarded [the] bounty for a "[T]he vulnerable strategies have been successfully wound down, and a fix has been committed and tested."

"As per Yearn's security process document, the project does not currently have any established bilateral disclosure agreements. However, in this case, due to the critical nature of the vulnerability, a disclosure was made to "Gro Protocol" prior to this publication."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

• Known history of when and how the service was started.
• What problems does the company or service claim to solve?
• What marketing materials were used by the firm or business?
• Audits performed, and excerpts that may have been included.
• Business registration documents shown (fake or legitimate).
• How were people recruited to participate?
• Public warnings and announcements prior to the event.

Don't Include:

• Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
• Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

• When the service was actually started (if different than the "official story").
• Who actually ran a service and their own personal history.
• How the service was structured behind the scenes. (For example, there was no "trading bot".)
• Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

No funds were lost due to the responsible disclosure.

While smart contract hot wallets cannot be guaranteed, bug bounty programs such as this and professional security audits can reduce the risk greatly. The most secure form of protection is an offline multi-signature wallet, so perhaps there is a solution where the majority of funds reside there and are only accessed when large adjustments need to be made.

References