YAM Finance Incident

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 10:14, 2 May 2023 by Azoundria (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

YAM Finance

Despite an audit, YAM Finance launched with a coding error which caused governance tokens to be minted rapidly in the protocol. This doomed the project, and ended up with $750,000 worth of yCRV token stuck in the contract.

The project was relaunched in a new smart contract, and the second version was more successful.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42][43][44][45][46][47][48][49][50][51][52][53][54][55][56][57][58][59][60]

About YAM Finance

"YAM is a modified clone of Ampleforth, a stablecoin with dynamic supply. Depending on the demand, YAM and Ampleforth can increase or decrease the total supply to maintain the $1 peg. Supply is changed by calling a dedicated “rebase” function." "Community-led DeFi stablecoin YAM managed to attract hundreds of millions of dollars in a matter of hours after it launched on Aug. 11." "YAM’s key difference from Ampleforth is that it automatically bought yCRV tokens whenever supply increased."

"At 08:01 AM UTC, Aug-13-2020, the creator of YAM, @brockjelmore, tweeted about the failure of rescuing the $750,000 yCRV tokens locked in the governance contract." "[A] single line of code doomed the Yam farmers", "creat[ing] “Zimbabwe style” inflation." "[A] bug in the rebase function meant that each call after the first one would “exponentially increase [supply] every time by 10^1e18.”" "The team wanted to use YAM in the project’s governance, but the rebase function issued excess YAM tokens to the project’s treasury, which diluted YAM holders’ governance power." "The price plummeted by 99% within 24 hours, resulting in the “permanent destruction” of the governance contract. Curve tokens worth 750,000 USD It is locked and cannot be used."

"The team tried to fix the bug by initiating a voting process to stop rebasing until the project’s governance contract is swapped. However, the initiative failed despite high voter turnout." "By the time the team realized nothing could be done to save the project, $750,000 of yCRV were already locked in the treasury." "The team didn’t give up and eventually swapped the project’s governance module to a working one. YAM holders could migrate via a temporary smart contract."

"Yam Finance all but collapsed ... following the discovery of [the] fatal error, but the project has since gained $200 million in total value locked." "Yam is still the 7th largest Defi project according to total value locked (TVL)." "The project library suffered a serious loss of as much as 750,000 US dollars of Curve tokens." "[P]rice plummeted 99%." "After the bug announcement, the YAM token’s value dropped significantly as the token touched an all-time high of $167.66 per token. At the time of publication, the token is only worth $0.97 per YAM."

"[B]lockchain security company Peckshield [conducted] an audit of the migration contract." “Following the audit, we will publish the report, deploy the migration contract, and enable migration through [the website],” the blog stated. Users will then need to burn their V1 tokens and mint new V2 tokens within 72 hours of the migration deployment. "[T]he Yam Finance team announced that the new [V3] protocol's migration would start at 8 PM UTC on Friday, September 18." "V3 ha[s] successfully passed the audit performed by PeckShield." "Following the migration, YAMv2 emerged. The token managed to climb to $32 but failed to repeat the previous success and returned to $25.7 by the time of writing." "[T]here is a lot of work that can be done to improve Yam. Despite the last month of progress, the relaunch of Yam is truly a starting point."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - YAM Finance Incident
Date Event Description
August 13th, 2020 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $750,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The safest storage of assets is an offline multi-signature wallet. Storing funds in a smart contract is very similar to a hot wallet and should be avoided.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Yam Suffers Technical Outage Following Scam Accusations (Aug 12, 2020)
  2. Defi Project Yam Finance Sees Over $500M Locked in 24 Hours, Devs Reveal Contract Bug | Bitcoin News (Aug 12, 2020)
  3. How One Line of Code Destroyed Yam DeFi (Aug 13, 2020)
  4. Rebase Bug Permanently Breaks Yam Governance (Aug 13, 2020)
  5. The impact of the Yam project’s lightning incident (Aug 13, 2020)
  6. Defi Implosion: YAM Token Market Cap Plummets to Near Zero as Founder Claims He 'Failed' | Bitcoin News (Aug 13, 2020)
  7. @YamFinance - Twitter (Aug 14, 2020)
  8. Meteoric Rise And Fall Of YAM Explained - Ethereum, DEFI - YouTube (Aug 14, 2020)
  9. DeFi strikes again: YAM protocol bug leads to $750,000 loss - CoinGeek (Aug 14, 2020)
  10. @YamFinance - Twitter (Aug 16, 2020)
  11. Ethereum Transaction Hash (Txhash) Details | Etherscan (Aug 18, 2020)
  12. @YamFinance - Twitter (Aug 19, 2020)
  13. Investors Tip $400M Into Failed DeFi ‘Yam’ Project Hoping for a Sequel (Aug 19, 2020)
  14. yam-migration/PeckShield-Audit-Report-YAMv2-v1.0.pdf at master · yam-finance/yam-migration · GitHub (Aug 19, 2020)
  15. @YamFinance - Twitter (Aug 22, 2020)
  16. @YamFinance - Twitter (Sep 18, 2020)
  17. Yam Finance announces migration to V3 in hopes to revive the project (Sep 18, 2020)
  18. @YamFinance - Twitter (Sep 20, 2020)
  19. @YamFinance - Twitter (Sep 20, 2020)
  20. @YamFinance - Twitter (Sep 20, 2020)
  21. Yam Finance Replants and Rebases But Tokens Still Slide (Sep 22, 2020)
  22. "It Was Exciting But it Was Also Terrifying:" Dan Elitzer and Clinton Bembry on Yam Finance's Backstory by The Defiant • A podcast on Anchor (Sep 26, 2020)
  23. YAM Finance (Jul 11, 2021)
  24. Chengdu Lianan: In August, there were 5 security incidents in the DeFi field, and a total of 39 incidents in the blockchain field • Blockcast.cc- News on Blockchain, DLT, Cryptocurrency (Jun 13, 2021)
  25. Millions Lost: The Top 19 DeFi Cryptocurrency Hacks of 2020 | Crypto Briefing (May 22, 2021)
  26. No Audits, No Problem: DeFi Stablecoin YAM Attracts Over $100 Million | Crypto Briefing (Jun 27, 2021)
  27. What Is Ampleforth? How AMPL Is Redefining Decentralized Money | Crypto Briefing (Jun 27, 2021)
  28. The Yam Finance DeFi Experiment Comes to a Grinding Halt | Crypto Briefing (Jun 27, 2021)
  29. @YamFinance Twitter (Jul 11, 2021)
  30. @YamFinance Twitter (Jul 11, 2021)
  31. @YamFinance Twitter (Jul 11, 2021)
  32. @YamFinance Twitter (Jul 11, 2021)
  33. @YamFinance Twitter (Jul 11, 2021)
  34. @YamFinance Twitter (Jul 11, 2021)
  35. @YamFinance Twitter (Jul 11, 2021)
  36. @YamFinance Twitter (Jul 11, 2021)
  37. @YamFinance Twitter (Jul 11, 2021)
  38. @YamFinance Twitter (Jul 11, 2021)
  39. @YamFinance Twitter (Jul 11, 2021)
  40. @YamFinance Twitter (Jul 11, 2021)
  41. @YamFinance Twitter (Jul 11, 2021)
  42. @YamFinance Twitter (Jul 11, 2021)
  43. @YamFinance Twitter (Jul 11, 2021)
  44. @YamFinance Twitter (Jul 11, 2021)
  45. @YamFinance Twitter (Jul 11, 2021)
  46. @YamFinance Twitter (Jul 11, 2021)
  47. @YamFinance Twitter (Jul 11, 2021)
  48. @YamFinance Twitter (Jul 11, 2021)
  49. @YamFinance Twitter (Jul 11, 2021)
  50. @YamFinance Twitter (Jul 11, 2021)
  51. @YamFinance Twitter (Jul 11, 2021)
  52. @YamFinance Twitter (Jul 11, 2021)
  53. Save Yam (Jul 11, 2021)
  54. Yam Post Rescue Attempt Update (Jul 11, 2021)
  55. Yam Migration Faq (Jul 11, 2021)
  56. Yam Migration Live (Jul 11, 2021)
  57. SlowMist Hacked - SlowMist Zone (May 18, 2021)
  58. Blockchain Hacks: 2020 | $15 billion lost, how can we mitigate hacks in 2021? | CertiK Foundation Blog (Jul 23, 2021)
  59. https://mobile.twitter.com/certik_io/status/1293999091245035521 (Jan 10, 2022)
  60. @amanusk_ Twitter (Jul 24, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=YAM_Finance_Incident&oldid=3810"