UPD: governance revoked access to affected strategies. They can't be used as active strategies any more.
-
A potential vulnerability was discovered and patched within 24 minutes.
-
This vulnerability could have put funds of the yDAI, yTUSD and yUSD vaults at risk. It was not exploited.
-
yDAI, yTUSD and yUSD vaults have been reverted to earlier non-proxy strategies.
-
All funds are safe. No action is required by users.
At 12:24 (UTC), banteg notices that people are posting in the yearn discord about negative returns.
He checks the vault dashboard and verifies that the share price has indeed dipped and reports this to the Yearn core developer group. Wondering whether this could be something related to a change in Curve.fi, he checks with the Curve team if they had adjusted the A parameter recently, and receives confirmation they had not.
Some minutes later, Andre identifies that the problem is related to a keeper bot, which is not fully completing a transaction as intended, due to insufficient gas limit. Andre tweaks the bot settings, the transaction completes, and the share price returns to normal.
Moments later, Andre discovers another potential exploit with the strategy. It is determined that all further deposits into the affected strategies should be disabled. The multisig is quickly called into action.
The keeper bot calls earn() and harvest() functions. The problem was with the earn() function that deposits funds from the vault into the strategy. It ran out of gas with some of the funds not being fully propagated to their destination.
Triggering a faulty earn() could manipulate the share price, allowing you to buy the dip. This could be executed through a flash loan with a low gas earn(), deposit(), normal earn(), and withdraw(). This could be repeated several times and through this process drain the vault.
The initial approach was to pause all deposits into the vault while a fix could be prepared.
While this was underway, it was noticed that as the strategist, Andre could switch the active strategies of the affected vaults to any previously approved one. So he reset the vaults back to their previous non-proxy strategies that were not exposed to the vulnerability, protecting all funds and deposits in the process.
It should be emphasized that by switching the active strategies, Andre is not using any type of special privilege or access to the yearn protocol. Any strategist for a vault, has the permission to switch between previously approved strategies at any time.
Strategies are added or removed from the list of approved strategies by governance.
Sep 25, 2020, 12:24 (UTC): People begin posting in the yearn discord about negative returns.
12:36: Share price dip is verified, Yearn developers notified, Curve.fi confirms problem is not on their side.
12:48: Problem identified to be a bot, and its settings are tweaked to correct the issue.
13:03: Andre discovers the exploit.
13:06: Klim drafts a multisig tx that sets yCRV, DAI and TUSD vaults min parameter to zero.
14:04: Andre rolls back the strategies to the previous versions, resolving the incident.
-
A faulty
yUSD.earn()transaction -
Strategy switch for curve.fi/busd vault
-
Strategy switch for curve.fi/sbtc vault
-
Strategy switch for curve.fi/y vault