Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Yearn got hacked for a third time in its long history. The author of this post dove into how the exploit works and explains it. It's important to understand what's going on and not just bookmark it. The yETH uses a hybrid AAM type. It acts as constant sum when the tokens are balanced, to keep prices stable and constant product as they get further out. The article shows a good graph of this.

The function _calc_supply() is used for generating the values of the curve. Notably, it's figuring out what the supply is from the constant-product and constant sum values. This is done with an iterative approximation to converge to a new supply. The constant product term r is recomputed each iterate as the current value multiples by the new supply and divided by the previous supply. The goal is for the smoothness of the curve to get better over as more tokens are put into the pool.

So, what's the vulnerability? If the decrease in the supply of an iteration is large enough, the the constant product term can round down to zero. Once this happens, it's 0 for the rest of the loop and poisons all value that it touches. Effectively, this creates a zero constant product term with a constant sum curve ALL the time. This is fine in the middle but is real bad on the edges because we are supposed to use the constant-product formula.

The attack works as follows:

1. Perform swap that will trigger the zero constant product term.
2. Use this to receive more LP tokens from the pool than intended with the unbalanced reserves.
3. Fix the constant product term back to the original during liquidity removal.
4. Withdraw tokens. These will now be more than what you started with.
5. Do it again and again...

There's actually a second bug in this code that allowed them to steal even more funds. When calculating the value sp, there are several unsafe math functions being used; this means that integer overflow protections are not enabled. In the math (l - s * r) / d it's possible to make s*r larger than l to cause an integer overflow. This mints a crazy amount of LP tokens, which they use to steal even more money. It should be noted that this is only possible to do because of the first vulnerability above.

The code appears to be a completely isolated product. Yearn v2 and v3 share zero code with yETH. This was an older product with millions still sitting in it. It's interesting how this occurred. Great articles describing the bug and the situation surrounding it!