YOLO Games Liquidity exitPool Check Missing
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The YOLO Games platform is positioned as a premier destination for serious gamers, emphasizing substantial rewards and operated by an experienced team renowned for their provably fair on-chain games and inventive reward systems. Participants can earn game fees and Droplets by providing liquidity, with Droplets redeemable for rewards at season’s end. Games against YOLO Games operate on a Liquidity Pool model, ensuring winners receive payouts without depleting the LP’s funds. Adding YOLO to LPs also earns Droplets, distinct from Points earned through gaming challenges, both of which accumulate YOLO over time due to a 1-2% LP advantage. Recent security incidents, including a $1.5 million theft due to a vulnerability in the exitPool function, have prompted immediate actions and refunds for affected participants in the YOLO LBP sale, which prematurely ended due to security concerns on Bazaar’s platform. Plans for future events remain on track, with updates forthcoming as investigations progress.[1][2][3][4][5][6][7][8][9]
About YOLO Games
"THE HOME OF DEGEN GAMING The only venue for serious degens seeking serious rewards. Built by a veteran team with a track record of delivering provably fair, fun on-chain games and innovative reward systems."
"Provide liquidity to earn games fees and Droplets. Droplets earn you reward at the end of the season!"
"In games where you play against YOLO Games (versus PvP experiences), you effectively play against a Liquidity Pool (ETH or YOLO). This pool ensures that winners can be paid out without severely impacting the LP’s available funds."
"Add YOLO to the LP to earn Droplets. Not to be confused with Points (earned by gaming and completing challenges), these units will also earn YOLO at the end of the respective Season."
"Liquidity Pools have an edge over the player of 1-2% — which means that, over time, depositors can expect a steady increase in their YOLO position."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
"$1.5 million was stolen from the liquidity pool on the Blast network’s gaming platform YOLO Games."
| Date | Event | Description |
|---|---|---|
| June 5th, 2024 12:03:00 PM MDT | LBP Announcement | The upcoming LBP is announced for the first time. |
| June 10th, 2024 6:12:00 AM MDT | YOLO LBP Launch | The launch of the YOLO LBP is announced to happen within 2 hours. |
| June 10th, 2024 1:54:09 PM MDT | Blockchain Transaction | The malicious blockchain transaction impersonating one of the liquidity providers occurs on the Blast blockchain. |
| June 10th, 2024 2:10:00 PM MDT | Initial Yolo Games Tweet | Yolo Games announces the vulnerability and their plan to offer refunds over the next few days. |
| June 10th, 2024 8:23:00 PM MDT | Tweet About Transactions | A tweet is posted which includes the impersonating transaction. |
| June 10th, 2024 9:30:00 PM MDT | Hacker Refund Transaction | A tweet is posted about the refund transaction of 90% of the funds from the hacker. |
| June 11th, 2024 5:59:00 AM MDT | Refund Tweet Posted | The Yolo Games tweets posts about providing refunds to every participant over 0.0001 ETH and that they will not be holding any further token launches. Their development will be funding another way, which will be announced in the future. |
Technical Details
"$1.5 million was stolen from the liquidity pool on the Blast network’s gaming platform YOLO Games. The root cause was the lack of permission checks in the "exitPool" function, allowing anyone to impersonate liquidity providers and drain the pool. The attacker has already returned 90% of the stolen assets."
"$1.5M was hacked from the liquidity pool of @YOLO_Blast on @hiBazaar right after the UwU incident today. The root cause is no permission check in the `exitPool` function, allowing anyone to impersonate liquidity providers and drain the pool"
Total Amount Lost
"$1.5 million"
The total amount lost has been estimated at $1,500,000 USD.
Immediate Reactions
"Due to a reported security vulnerability on the Bazaar LBP smart contract, the YOLO LBP sale has ended ahead of time. Users will not be able to participate in the LBP any further. Any users holding rYOLO from purchasing during the sale will receive an ETH refund based on the amount spent, to be collated over the next few days.
We will provide further updates as we investigate the issue with the Bazaar and Blast teams."
Ultimate Outcome
"Full refunds have been sent to all participants of the YOLO LBP sale who entered with at least 0.0001 ETH or more and were not in profit from trading.
If you entered with 1 ETH and the price moved down, you still got a 1 ETH refund.
You will be able to see the tx on Blastscan under “Internal Txns”.
The security exploit that affected Bazaar’s LBP contract is regretful, but we are undeterred. That said, there will no longer be a YOLO LBP or public sale of any kind. We are working on executing a new plan that will allow us to keep the previously communicated timeline for TGE etc, and will share more details ASAP."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Accessed Jun 20, 2024)
- ↑ @shoucccc Twitter (Accessed Jun 20, 2024)
- ↑ Blast Mainnet Network Transaction Hash (Txhash) Details | Blastscan (Accessed Jun 20, 2024)
- ↑ @YOLO_Blast Twitter (Accessed Jun 20, 2024)
- ↑ @shoucccc Twitter (Accessed Jun 20, 2024)
- ↑ @YOLO_Blast Twitter (Accessed Jun 20, 2024)
- ↑ @YOLO_Blast Twitter (Accessed Jun 20, 2024)
- ↑ @YOLO_Blast Twitter (Accessed Jun 20, 2024)
- ↑ @YOLO_Blast Twitter (Accessed Jun 20, 2024)