I’m here to chat about the post mortem, and the case for plausible deniability vs admit partial responsibility on Yearn’s end. Also the $9 million impropriety on Yearn’s end.
I fully appreciate the dialog, but it still stands to reason that Yearn is thinking in Yearn’s best interest, and doing their best to avoid responsibility. Complete argument for your reading pleasure.
YEARN’s implausible deniability
Opening Statment: Yearn’s case for no responsibility for the CREAM hack is: “no one is blaming sushi, for Aave having the same vulnerability” and that no Yearn funds were lost and that the issue was on CREAM’s side, and their code acted “as it should”.
Yearn bears responsibility because Yearn and CREAM are PARTNERS. Sushi and Aave are autonomous entities, there is no feasible universe where the pricePerShare function being used as an “Oracle” wasn’t at minimum known by Yearn devs, if not suggested. Oracles are a hot topic and known weakness to the whole defi community, before launching CREAM’s yVault token collateral composability, this must have been discussed/know by Yearn devs.
Yearn devs claim the pricePerShare function “worked as expected”, and the ability for anyone to send funds as if the contract was a normal wallet was left open on purpose, and is a “documented feature”.
A lie by omission, while partially true, Yearn devs must have never fully considered/tested how the pricePerShare function would behave if the vault’s underlying token was sent to the vault in this manner. This makes sense at the vault’s inception because no one would airdrop the vaults underlying token to said vault, but the pricePerShare function should have been revisited when you knew it would become an Oracle. See Point A below for supporting evidence.
- Yearn devs claims no vault accounting was ever wrong and the CREAM team’s calculations were the only wrong ones.
Fallacy, by their own admission the pricePershare function was manipulated by the hacker to return a value of 2, when it should be 1. Two unrelated accounts interacted with the vault before it was fixed and those users had to be repaid for the miscalculation. ALSO, CREAM’s “oracle” is simply an interface that calls Yearn’s yVault contract’s external pricePerShare function directly. The pricePerShare function being manipulatable is the lynchpin of the entire hack. Allowing for inflated collateral values for the hacker and anyone holding the yVault token at that time. Also supported by Point A below.
A. Mudit Gupta hack analysis you provided in github at
Creamed Cream - Learn the Secret Recipe (Cream Hack Analysis) - Mudit Gupta's Blog
The magic happens here – Transfer 8m yUSD to yUSDVault. This basically donates $8m to the yUSDVault. The yUSD balance becomes $16m while total supply remains $8m. Therefore, the price of every yUSDVault share becomes $2 for real. All holders of yUSDVault just doubled their investments.
- Yearn tries using the hacker’s signed message as evidence of innocence: “As the hacker said, “aave lucky, cream unlucky”. Notice how he never mentioned yearn’s luck, because he knew it was the lending protocol’s issue.”
Another lie by omission and misdirection, if we’re going to use the hacker’s word against him or her, perhaps we should use this portion too? “ydev: incest bad, don’t do."
Clearly the hacker is scolding Yearn. We know they didn’t “get Yearn funds”, but that’s not the issue, the issue is responsibility of Yearn and CREAM codebase combined. Did you think I couldn’t read hexadecimal? Or use etherscan? Or google it?
I’m simply stating that Yearn devs should admit partial responsibility because they helped write the code with their partner. And their contract pricePerShare function being a manipulatable Oracle was integral to a very complex and unfortunately impressive hack.
Misappropriation of $9 million dollars in victim funds
Opening Statement: Yearn was sent approximately $9 million dollars in yvault tokens by the hacker so he or she could manipulate the pricePerShare function and therefore CREAM collateral “oracle”
- Yearn immediately sent this money to CREAM. Without verifying how it would be used. CREAM kept it and dumped their CREAM tokens on victim’s. Been like what 3 or 4 hacks this year for CREAM?
If Mochi or some other questionable protocol had been hacked instead of your partner CREAM would you have sent it back to Mochi without thinking?
If Yearn can’t convince CREAM to distribute the $9million, they should be held responsible for said funds.