• Home
  • Yam Finance Foils Governance Attack Seeking to Control $3 Million Treasury

Yam Finance noticed and stopped a governance attack that would have seen the platform lose control of its treasury if successful.

Decentralized finance (DeFi) protocol Yam Finance successfully stopped a governance attack aimed at seizing control of the platform’s reserves. Yam Finance said in a tweet that although the attacker made it difficult to notice, the platform detected and canceled the proposal.

“Earlier today, there was a governance attack on the DAO that has been thwarted. An unverified contract was deployed and governance proposal submitted via internal transactions to make it harder to notice. But the attack was noticed and the proposal has been cancelled.”

In a follow-up tweet, Yam Finance posted a link to a preliminary report on the incident. The official GitHub Gist post contained links to specific transactions on Etherscan, starting with normal activity that began on July 7th. Also, the report had links to “suspicious activity” on July 9th, which includes creating a malicious contract and voting on it.

The attacker planned to use a deceptive governance proposal with a malicious contract to transfer control of the protocol’s reserves. Before the Yam team noticed and thwarted the attack, the attacker had already formed a quorum for the proposal. In addition, the attack would have forced control of Yam Finance’s treasury – currently totaling $3.1 million according to data from analytics site DeepDAO.

Yam Finance did not provide details of its actions or how it prevented the attack. One of the platform’s tweets simple reads:

“We will post any additional information about this when we have it. The DAO security mechanisms are working as expected.”

Yam Finance Dispute

The governance attack happened amid an unresolved dispute in the Yam Finance ecosystem. A snapshot vote started a week ago sought to make Yam Finance’s treasury redeemable by people who would like to exit, leaving only those willing to maintain their positions. The vote’s text says the argument against this is that development is impossible if the platform’s treasury drains. According to the text, this is “provably false”. However, the anonymous person believes this is not a problem because over 80% of YAM’s supply is in stagnant wallets. Although the vote ended with 54% of respondents voting in favor, there is a call for a rerun. The call states that the vote did not follow due process.

A new proposal for a re-vote states that repeating the process is necessary because there were no announcements or presentations of the snapshot vote in Yam’s Discord and Discourse forums. According to the new text, a vote on a proposal this important must consider all token holders.

“…We are beholden to all token holders and the fact that this vote was created in what could be considered a sneaky and underhanded way cannot be ignored…There are rules around creating proposals and giving sufficient notice to token holders to make a decision. An unannounced vote does not meet these criteria,” wrote the company.

Share:

Leave a Reply

Your email address will not be published.