In mid-August, Yam Finance was the hottest project on the DeFi scene. Close to $600 million were locked on the platform less than 24 hours after it launched. It all came to a sudden stop, though, when a bug was discovered. YAM, the project’s governance token, collapsed in valuation, dropping from its $160 peak to less than a dollar.
Despite most marked the time of death of the project, it did endure. A plan of migration was presented where the code would be audited, preparing the project for an unexpected resurgence. As news of the migration spread, YAM made a miraculous recovery.
A little more than a week ago Yam Finance launched again. At launch, the YAM token stabilized in price around $25. Sadly, an exploit was identified by a Yam founder on September 22, which brought the project down to its knees again. It is important to note that this time the problem is not a bug, but a possible scenario in which a malicious actor could “take control of the protocol, including the treasury”.
In essence, think of it as someone having more financial incentive to control the entire protocol than to participate in governance, even if they hold a large portion of YAM tokens. The problem resides in the fact that YAM locked in the Uniswap pool is not eligible to be used for voting. Yam noted in the announcemet:
“In the current design, the strong incentives to provide liquidity to Uniswap are at odds with the ability to ensure robust participation in governance.”
To guard against this, a proposal has been submitted that, if passed, will allow the YAM Deployer contract to cancel proposals that are identified as malicious. The Yam team notes that this will only be temporary, “until a fix can be implemented, audited, deployed, approved by the community, and activated”.
Three potential solutions have been proposed to the issue, two of which aim to solve the issue with YAM tokens locked in liquidity pools not being able to be used for voting, while the third one aims to introduce a new contract (Guardian) to “address potential future attacks”.
In the announcement, the Yam team urges community members to discuss the situation on the governance forum.
Compared to the bug that was discovered in August, this exploit seems like a lesser issue. Still, YAM has crashed once again from a stable price of around $20 to about $1.3, as soon as the announcement was made.