There’s a bug in the Yam Finance protocol, the day-old yield farming mash-up project delivering the latest astronomical annualized returns in the booming DeFiDeFi industry.
Yam Finance tweeted the discovery earlier today, alerting users to an error leading to unintended tokentoken supply growth that would benefit the governance-controlled reserve. The extra tokens accumulated would capture an increasing amount of the overall Yam market cap, reducing the value of all other user’s tokens over time.
We have found a bug in the rebasing contract, please read below.
All funds in staking contract are safe, as this is an unrelated part of the protocol.
In response, developers are asking early adopters to put their governing power to use implementing a temporary fix, requiring at least 175,000 votes to activate the proposal. It’s another early stress test of the power of distributed governance, and an example of developers working together with a community that has taken root literally overnight.
The bug involves the issuance of Yams during “rebase” events, when the total supply of the token is changed in a mechanism designed to keep the price stable over time. Notably, Yam developers were clear up front that while Yam was constructed largely using well known, previously audited smart contracts, the specific Yam design had not itself been put to an audit.
Yam was launched yesterday via a Medium blog post and has already attracted close to $400 million in locked value, according to analytics platform Nansen. The protocol combines elements of yEarn.finance and Synthetix smart contracts and an elastic supply inspired by Ampleforth in an experiment in cutting edge DeFi paradigms. The value of Yams is pegged to $1 USD, which means the total supply of Yam tokens will increase or decrease in response to prices higher or lower than one dollar in “rebase” events.
If Yams are trading for more than a dollar, the twice-daily rebase event will increase the supply of tokens proportionally across each user’s Yam balance; increasing the supply, in theory, lowers the value of each individual token. This is because the total value of the supply, as measured by the token’s market cap, is distributed among a greater total number of tokens.
No one knew Yam Finance before yesterday at 5pm UTC when the team tweeted its first and only Medium article explaining the “project” they launched two hours later.
The token was born with “zero value” and without an audit, as the Medium post specified. Still, yield farmers couldn’t get enough YAMs and according to Etherscan, $90M USD was deposited in the protocol within the first 90 mins, while YAM price jumped to ~50 DAI—which sounds a lot more impressive when you take into account it was suppo...
If Yams are trading for less than a dollar, rebase events will reduce the supply of Yams to increase the price. Rebase events are limited to changing the supply by 10% at a time, so extra Yam generated would automatically be contributed to the community governance pool.
In response to the bug, Yam holders are being asked to vote via the Etherscan contract interface. The fix will halt the rebase function until developers are able to construct a more permanent fix, and will burn all Yam tokens currently in the governance reserve. Two votes will be required to activate the fix. The first will require 35,000 Yams to bring the proposal for a vote, while the second will require 140,000 Yams to activate the new code after a 12.5 hour waiting period.
Hundreds of millions of dollars are at stake within Yam Finance, but more important might be the test of whether the brand new community can pull together and follow its developers lead.
Disclaimer
The views and opinions expressed by the author are for informational purposes only and do not constitute financial, investment, or other advice.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
A blockchain researcher accidentally burned approximately $58,000 worth of Pump.fun’s PUMP token on Solana—but he told Decrypt that he isn’t “sad or angry” about the costly mistake.
The mistake came after he bought $40,000 worth of the token in Pump.fun’s sought-after token sale on Saturday, which sold out in just 12 minutes. Once the token launched, PUMP debuted at a price of $0.005827, which is 45% higher than its ICO valuation, bringing the unlucky trader’s losses to a total of $58,270.
On Su...
Hyperliquid has rapidly become a major player in decentralized finance, but Project X aims to level the playing field on the layer-1 HyperEVM chain that powers it—and seeks to become the frontend for the ecosystem in the process.
In a space crowded with teams racing to build similar platforms, the team insists its strategy stands apart. Rather than focusing solely on technical innovation, Project X sits down with Decrypt for an exclusive interview on how it is taking a distribution-first approac...
Some say crime doesn’t pay—but blockchain data suggests that an attacker who exploited a flaw in a GMX’s codebase earlier this week is walking away with a $5 million bounty.
“Ok, funds will be returned later,” the individual said in an on-chain message on Friday, days after they absconded with over $40 million worth of crypto from the decentralized exchange.
GMX, which specializes in perpetual futures trading on Avalanche and the Ethereum layer-2 scaling network Arbitrum, was later sent $10 mill...