How One Line of Code Destroyed Yam DeFi

Published at: Aug. 13, 2020

The now notorious project, Yam.Finance, was launched without a proper code audit just like many other projects in the space. Richard Ma, the CEO of blockchain security company Quantstamp, told Cointelegrpah that many DeFi projects are launched unaudited in order to capitalize on reverse psychology:

“Not having an audit is currently seen as a good way to use reverse-psychology to do marketing.” He added, “It creates the perception that these projects are so in-demand, and that you're getting in on it at the ground floor, before other people have heard of it.”

According to Ma, many popular projects like Yearn Finance, Cream and Yearn Finance II were launched in the same fashion. However, he notes that it does not necessarily mean that DeFi users need to be paranoid about these beloved projects; Ma noted that “the most danger lies in the early days.”

If a project survives its early growing pains, it “starts to accumulate many informal security reviews”. In the case of Yearn Finance, Quantstamp ended up performing a formal security audit later on. Yam was not fortunate enough to make it to that stage. Though Ma performed an unofficial audit of some of Yam’s smart contracts, he did not audit the one that led to the project’s failure. Examining the code, said that a single line of code doomed the Yam farmers

“totalSupply = initSupply.mul(yamsScalingFactor)”

This should have been followed by “div(BASE)”, in essence dividing the supply by a very large number — 10 followed by seventeen zeros. Without this divisor, the network was set to create “Zimbabwe style” inflation. According to Ma, there is no way of fixing this bug and as a result, approximately $750,000 worth of crypto is permanently locked.

Quanstamp’s CEO does not believe that the Yam debacle will break DeFi as “DeFi people have a way of being okay with volatility”. He also added that many crypto influencers invested in the now defunct project, noting that “So many influencers got into YAM - it's about 1/3rd of my twitter feed now”.

Yam.finance’s short-lived history is perhaps best summed up by the following chart: 

Source: CoinMarketCap.

Tags
Related Posts
Immunefi partners with Binance Smart Chain on bug bounties to secure BSC projects
Immunefi, a security service outfit that specialized in decentralized finance (DeFi) projects, has inked a collaboration with the Binance Smart Chain. According to a release issued on Friday, Immunefi will work in collaboration with BSC to improve the security of projects on the Binance chain. As part of the partnership, ethical hackers who take part in a campaign to discover vulnerabilities in BSC-based projects will earn rewards. As a security outfit, Immunefi has reportedly paid more than $3 million in bug bounties to ethical hackers. Major BSC protocols such as PancakeSwap, DODO, and Zapper among others are already deploying the …
Blockchain / July 9, 2021
PwC Switzerland Partners Smart Contract Auditing Team ChainSecurity
Smart contract auditing team ChainSecurity partnered with the Swiss branch of Big Four auditing firm PwC to enhance the services the global auditor provides. In an email sent to Cointelegraph, a PwC spokesperson explained that no acquisition took place and multiple ChainSecurity teams joined the firm. Hand in hand According to a press release published by the firm on Jan. 5, PwC hopes that, with ChainSecurity’s team, the firm will become “the world’s leader in smart contract auditing.” PwC Switzerland and Europe head and partner of risk auditing Andreas Eschbach said in an email to Cointelegraph: “As an integral part …
Blockchain / Jan. 12, 2020
An Ethereum 2.0 Proof-of-Stake Testnet Blockchain Is Now Live
An Ethereum (ETH) 2.0 Proof-of-Stake (PoS) testnet beacon blockchain is now live. Preston Van Loon, co-founder of sharding development firm Prysmatic Labs, announced the development in a Medium post on May 7. Ethereum 2.0 is an upcoming new Ethereum chain featuring improvements in security, scalability, and decentralization. Ethereum 2.0 would not be introduced to the current Ethereum network by means of a hard fork. Instead, users will be able to transfer value from the current Proof-of-Work (PoW) chain via a one-way smart contract. The announcement also notes that shards are a core concept behind Ethereum 2.0. Shards are individual chains …
Decentralization / May 8, 2019
Tron Discloses Critical Vulnerability Which Could Have Crashed Its Blockchain
The Tron Foundation disclosed a fixed critical vulnerability which could have crashed its blockchain on vulnerability disclosure platform HackerOne on May 2. The disclosure explains that with enough malicious requests, an attacker could have filled up all the available memory and effectively perform a Distributed Denial of Service attack on the TRX network by employing malicious code in a smart contract. The disclosure further explains the impact of such an attack: “Using a single machine an attacker could send DDOS attack to all or 51% of the SR node and render Tron network unusable or make it unavailable.” The cybersecurity …
Blockchain / May 6, 2019
Uniswap DAO debate shows devs still struggle to secure cross-chain bridges
Over $2.5 billion was stolen in cross-chain crypto bridge hacks from 2021 to 2022, according to a report by Token Terminal. But, despite several attempts by developers to improve bridge security, a debate from December 2022 to January 2023 on the Uniswap DAO forums has laid bare security weaknesses that continue to exist in blockchain bridges. In the past, bridges like Ronin and Horizon used multisig wallets to ensure that only bridge validators could authorize withdrawals. For example, Ronin required five out of nine signatures to withdraw, whereas Horizon required two out of five. But attackers figured out how to …
Blockchain / Feb. 26, 2023