Yam Finance, a decentralized finance (DeFi) mash-up project no one heard of before 11 August, 5 pm UTC managed to lock in $400 million within the first 24 hours. As a matter of fact, within the first 90 mins of its launch, $90 million was deposited in the protocol.
Now the DeFi protocol has lost control of its on-chain governance due to a bug that was discovered on Wednesday, 12 August. The rebase bug could lead to excessive Yam minting. With this bug, no governance action could have been possible. As a result, these funds would lay locked in the treasury.
Following the unfortunate bug discovery, the users were asked to exit YAM/yCRV liquidity pools on 13 August. However, due to this fatal bug, cryptocurrency worth $750,000 is now permanently locked in the treasury.
On 13 August at 3:30 am UTC, Yam developers strongly advised Yam investors to exit the Uniswap YAM/yCRV liquidity pool in the next 35 minutes. And this led to a crypto-wide panic.
Governance proposal submitted (0x1d64875b24732bc2e8880cd0870ea8e301ddde683ce81fea418e9ab4feea90bb)
🚨 we are urgently investigating a potential flaw that would prevent proposal execution.
We strongly advise exiting the Uniswap YAM/yCRV pool prior to rebase at 8am UTC (35 mins)
— Yam Finance (@YamFinance) August 13, 2020
The protocol went live without a security audit and the token held zero inherent value. But the project lured millions of dollars in by promising a 10,000% annual percentage yield (APY). According to Quantstamp CEO Richard Ma, Yam capitalized on reverse-psychology by marketing itself as an unaudited protocol.
As of 13 August, 4:30 am UTC, close to $585 million were locked in Yam. This was higher than the Total Value Locked (TVL) in Aave that ranks 4th in DeFi Pulse TVL charts. Interestingly, LINK worth $22 Mn, MKR worth $2.9 Mn, and SNX worth $4.2 Mn were borrowed on Aave to farm Yam.
Luckily, the Yam community managed to get 75% out of the liquidity pool prior to the second rebase.
DeFi has been a real buzz word in crypto-space lately as the Total Value Locked in DeFi is approaching $5 Billion.
What was YAM?
Project Yam was explained by its developers 2 hours prior to the launch on 11 August. As a matter of fact, Yam was put in together in just 10 days. According to the medium post, Yam is an experimental DeFi protocol. This makes Yam an elastic supply cryptocurrency which will establish fair farming, governance, and elasticity. It mashes up the innovative features of projects like Ampleforth (AMPL) and yEarn Finance I (YFI).
Just like AMPL the Yam supply would expand and contract in response to market conditions. The aim was to peg Yam to 1 USD. The differentiator is that 10% of each supply expansion will be used to buy yCRV (USD stablecoins). And these coins will be allocated to the community governance-controlled Yam treasury.
This is where the protocol was flawed.
According to an unofficial audit performed by Quantstamp, there is a single line of code in the rebases part that led to the present crises.
“totalSupply = initSupply.mul(yamsScalingFactor)”
Quantstamp CEO Richard Ma, this line of code should have been followed by “div(BASE)”. This basically means the supply should have been divided by a very large number (10 followed by seventeen zeros). According to Ma, this is a permanent bug and $750,000 worth of crypto is locked in Yam permanently.
YFI like– Just like yEarn Finance token YFI, Yam created an equal-opportunity staking distribution model. Yam was distributed with no pre-mine. There were no founders shares and no VC interests.
As there was no pre-mine or sale, Yam tokens are distributed across eight staking pools evenly. These were COMP, LEND, LINK, MKR, SNX, WETH, YFI, and ETH/AMPL Uniswap LP tokens. Anyone who owned the above tokens could stake in Yam project and start earning Yam.
What will happen now?
Between 7 am to 8 am UTC on Thursday, 13 August, a governance proposal was submitted. But shortly the security experts concluded that due to the rebase bug, the proposal might not succeed.
In the last 19 hours, not much has changed and the concern remains the same. If the community governance cannot pass the proposal, the yCRV worth $750,000 accumulated during rebase will be stuck there forever. According to Yam’s recent medium blog, the governance proposal can no longer fix the issue.
The Yam official blog states that the community will now set a Gitcoin grant. This will help coordinate a community-funded audit of the Yam contracts which will be followed by a launch of Yam 2.0.
Not the first unaudited project
According to Quantstamp CEO Richard Ma, Yam was not the only unaudited DeFi project. Projects like Yearn Finance, Cream and Yearn Finance II were also unaudited when launched. But they survived the early growing pains and came to a stage where they underwent many informal audits. And these audits helped the above platforms to gain more traction and user trust. As per Ma, the DeFi investors need to be careful during the early days of any project. For Yam it was unfortunate that it did not reach the stage of those unofficial audits that could have prevented its doom.
Previously, we reviewed how QuarkChain is planning to build a next-generation DeFi platform.