Critical Vulnerability Discovered in Andre's yCredit - Decentralise #73

Apes and test in prod

Jan 02, 2021

IMPORTANT The yCredit contract is vulnerable to an economic attack that can cause loss of all user funds. If you deposited into the contract using Etherscan or bought yCredit on Sushiswap, withdraw or sell it immediately. I’ll publish the exploit after all funds are withdrawn.

yCredit Exploit

Earlier today a vulnerability was discovered in Andre Cronje’s recently unveiled yCredit which could lead to a total loss of user funds.

The medium post contained multiple warnings that yCredit was not safe and to not use it, but many ignored this advice and tracked down the contract.

The vulnerability was quickly confirmed by Yearn’s Emiliano and Banteg.

Emiliano Bonassi | emiliano.eth @emilianobonassi

Confirmed independently, current yCredit deployment is exploitable It's not hard to execute, it's recommended to withdraw, NOW! There's still not much but plenty of liquidity sushiswap.vision/token/0xe0839f…

banteg @bantg

In case you still don't believe yCredit deployment is exploitable. h/t @NourHaridy https://t.co/alCL4feiQY

banteg @bantg

In case you still don't believe yCredit deployment is exploitable. h/t @NourHaridy

Banteg then managed to utilise an Aave v2 flash loan to test the vulnerability, which allows multiple assets to be borrowed.

banteg @bantg

Ported the yCredit exploit to Aave v2 flash loans. This is my first time playing with flash loans. Gotta say they are pretty powerful, e.g. this is done in one transaction. You can borrow multiple assets at once. The docs are great too.

It does not seem that the specific vulnerability has been used by an attacker, however a second and separate exploit was discovered to have happened just a few hours later.

yCredit

yCredit was unveiled in a Medium post from Andre on Thursday. It builds upon Stable Credit and allows users to deposit ERC-20s and receive a USD denominated credit line. A 0.5% fee is deducted and distributed to yCredit stakers. Arbitrage opportunities should incentivise a healthy peg.

nour @NourHaridy

Let’s not forget that yCredit is a super ambitious project and @AndreCronjeTech really is pushing the boundaries of capital efficiency here. If you’ve seen the contracts you know this is like nothing we’ve ever seen before. Really looking forward to the next deployment

Conclusion

Some in the community have shared concern that making unaudited and potentially unsafe code available, even when not advertised, is hurting Yearn’s reputation.

The event has brought discussions around the ‘test in prod’ approach back to the surface. As many users are committed to aping their funds into whatever the latest unaudited contract is, some are concerned it is damaging Yearn’s reputation.

yCredit was explicitly not intended for public use, with multiple warnings and no UI - users had to go out of their way to ape in.

I absolutely agree with Banteg that DeFi users’ behaviour is getting ridiculous.

banteg @bantg

@Simp2win @NourHaridy The post literally says it’s exploitable and doesn’t even give the contract address. Is it even possible to discuss economic ideas without people aping in nowadays?

We’ve had several instances where people have lost funds with this reckless strategy, but greed seems to outweigh caution time and again. It is to some extent understandable - those who aped into KP3R certainly didn’t regret it.

I’m against users losing money, but Andre’s approach is well documented and brings benefits that he swears by. If apes are willing to risk funds gambling they certainly have no one to blame but themselves.

Whether this is damaging Yearn’s reputation however is another matter entirely.

Decentralise is sponsored by PieDAO, community governed tokenised ETFs. YPIE PieVault is a brand new product type, maximising yield while giving diverse exposure to the Yearn Finance Ecosystem.