A bug in the hastily-developed contracts for Yam Finance resulted in the governance contracts being “permanently broken” and $750,000 worth of Curve tokens locked from use.
Andre Cronje, DeFi developer and founder of the yEarn protocol, told Cointelegraph that this resulted from a bugged rebase function.
Yam is supposed to be a stablecoin with a similar mechanism to Ampleforth, with the contracts creating or destroying supply based on the token’s price to maintain a $1 peg.
Cronje said that a bug in the rebase function meant that each call after the first one would “exponentially increase [supply] every time by 10^1e18.”
This results in a massive influx of new tokens, far more than there should have been.
But there were three parts to the bug, according to Cronje. The issue was compounded by an additional mechanism used by Yam to balance the token’s price. The rebase function also sells “into the yCRV/YAM pool up to a max of 10% slippage,” he said, to ensure that the price reflects the updated supply. The proceeds from the sale and remaining YAM are sent into the project’s treasury contract.
A further aspect of the system is its governance, which requires a percentage of all tokens to be committed to a proposal for 12.5 hours. While there were earlier concerns about not enough tokens being delegated, triggering a support campaign to get holders to vote, this was ultimately futile.
Since the rebase created a huge amount of new YAM and sent it to the treasury contract, it now holds the vast majority of all tokens. “This means the available YAM on the market aren't enough to reach quorum,” said Cronje.
The result is that both the governance and the treasury are now “bricked” and cannot be accessed. The rebase bug cannot be fixed without access to governance, so this should in theory spell the death of the project — or at least its existing smart contracts and tokens.