Announced on August 16th, YFValue protocol is intended to deliver the true value of yield farming finance accessible to all users irrespective of their investment size.
A little over a week later, however, it turns out that over $170 million worth of cryptocurrency in the protocol is at risk of being locked by a single contract owner.
$130 Million in YFV At Risk of Being Locked
Money continues to pour in the field of Decentralized Finance (DeFi) as the total value locked in protocols approaches $7 billion, according to DeFi Pulse.
New protocols are coming out by the day, and investors are racing to be among the first to stake to benefit from the insanely high yield rates.
One such project is YFValue, launched on August 16th. In less than ten days, the protocol saw more than $120 million staked in it. Now, however, it appears that the funds are at risk of being locked out by a single contract owner.
A user brought up the issue on Twitter and outlined some of the challenges.
Besides mining the YFV token, farmers are also mining 2 additional tokens introduced by YFV: vETH token and vUSD token. Both of these 2 tokens have a minters set that is only modifiable by the owner. What would happen if the owner removed pool contracts from the minters set?
While discussing the technicalities, the user concluded that “this means $170 million worth of funds is now at the risk of being locked by a single EOA.”
The value locked in YFV has since decreased to around $130 million at the time of this writing.
Issue Confirmed, Resolution Plan in Place
In a detailed post by the team of YFValue, the issue was further confirmed and addressed.
Over the past 24 hours, various community members correctly identified a minting key oversight and exploit related to vUSD and vETH that would enable locking of funds after the completion of the current epoch. – The post reads.
The ownership of the keys in question will be kept by the team until such time that they manage to recover the funds that users may have lost by continuing to farm in the Pool 0.
Following this, the team has “decided to transfer ownership of these keys to a multisig wallet for flexibility in future governance decisions.”
For this to happen, the team has until August 25th at 1:58:23 PM GMT +0 to transfer the ownership of the YFV under their control to the multisig address, and they are looking for reputable and trusted people to do so. Some of the names proposed by the community include:
- Vitalik Buterin
- Andre Cronje from YFI
- Brendan Eich – CEO at BAT
- Sergey Nazarov – CEO at Chainlink
- Michael Gu, Founder at Boxmining
CryptoPotato had the chance to speak to the Founder of Boxmining on the matter, who said:
YFI brought a whole new category of Yield aggregators to improve upon DeFi yields. Developers are franticly deploying new highly innovative ideas and solutions.
However, we MUST ensure that these products are safe. Recent trends/mistakes have shown that more audits are needed, and developers need to be much more rigorous. Otherwise, it will severely damage the long term reputation of DeFi.
In a true fashion of decentralization, he has also done a poll on whether or not he should help sign the contract.
BoxDAO vote. Should I help sign the $YFV multi-sig contract?
— Boxmining (@boxmining) August 24, 2020
In any case, all of this outlines the risks of new DeFi protocols and that investors should always do their research very carefully. A lot of the upming projects are heavily hyped on social media as the “next big thing,” which causes a lot of fear of missing out (FOMO) amid various investors.
There are plenty of examples of failed experiments such as YAM – a protocol that attracted more than half a billion dollars in less than 24 hours, and a single mistake in the code rendered the entire protocol erroneous and unusable.
UPDATE: Since the article was published, the YFV team has disclosed that the keys will be transferred to a multisig wallet requiring four out of seven signatures and naming the holders of these keys in an official tweet.
The governance keys of vETH and vUSD from YFValue protocol will be transferred to a 4-of-7 multisig
More details will be public in our blog post soon
— yfv.finance (@FinanceYfv) August 26, 2020