The vulnerability in the quickly developed contracts for YAM Finance has caused its permanent break and the freezing of Curve tokens. The price of frozen tokens is 750 thousand USD.
DeFi developer and founder of the yEarn protocol, Andre Cronje told Cointelegraph that such vulnerability appeared because of bugged rebase function.
YAM has been planned as stable coin having the mechanism reminding the one of Ampleforth supposing the contracts, which either make or delete supply taking into account that token price remains at the level of $1 peg.
Cronje explained the essence of the bug in the rebase function: each next call will significantly increase (supply) every time by 10^1e18.”
Such increase has caused great flow of new tokens, exceeding the planned supply.
At the same time Cronje mentioned that the bug consisted of three elements. The problem has been added by the structure which YAM applied for tokens price regulation.
Another option of rebase function is to sell “into the yCRV/YAM pool up to a max of 10% slippage,” to make sure that the price indicates supply in real-time mode. The return and rest of YAM is sent to treasury contract.
Another system aspect concerns control, claiming some percentage of tokens distributed for proposal for twenty hours and a half. Previous concerns about insufficient amount of tokens and following support campaign had been vain.
Such campaign has resulted at blocking. The vulnerability can’t be fixed without access to control system, which theoretically supposes the death of the project.