Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Yield farming is lending or staking cryptocurrency in exchange for a percentage of interest. By providing some funds as an individual, you can take some of the groups profit.

In yield farming, a common code pattern is upon harvesting the yields (taking your share of money from the work done) that the tokens are swapped at an exchange, such as Uniswap. This is done in order to rebalance the contracts tokens in the event that too many funds are taken away. Additionally, it is common for the harvest() function to be public, meaning that anybody can decide when the yields can be harvested. Why is this a problem though?

An attacker can abuse this feature in order to manipulate the pool. An example flow is shown below:

1. Distort the pool being purchased from. For instance, take out a flash loan to make one asset expensive and the other much cheaper. Sell a ton of asset A to the pool.
2. Call harvest(). The pool does the swap at the very bad prices for Asset A.
3. The attacker will then trade Asset B they got from the original swap in order to get back a profit.

To protect against this type of manipulation, a few things can be done. First, limiting the callers of the yield function. Secondly, the harvest function can be called with extremely regularity to make the fees of the swap to expensive to perform this attack. Finally, check for slippage and reject to price if it has swayed too much.