DeFi Yearn Finance Fixes a Critical Vulnerability in the Leveraged COMP Farming Strategy

DeFi protocol Yearn Finance awarded a maximum bounty of $200,000 to a security researcher xyzaudits after they revealed a vulnerability in the leveraged COMP farming strategies that have since been mitigated. “No funds were lost,” assured the team. According to the vulnerability disclosure, an attack vector in the GenLevComp strategy type that is in use in two strategies in the yvDAI 0.3.0 vault was disclosed through Yearn's security process. In this leverage strategy, DAI is borrowed and lent repeatedly on Compound in order to farm Comp tokens which makes use of dYdX for flash loans. If successfully exploited, the attacker would have been able to liquidate an affected strategy's entire debt position on Compound and potentially capture liquidation fees. This would have led to a “significant loss of user funds.” But the vulnerable strategies have been successfully wound down, and a fix has been committed and tested. A blue-chip project, Yean had over $4 billion in total value locked (TVL), as of writing, down from more than $5 billion in mid-June, as per DeFi Llama. In Q2 2021, the project enjoyed a jump of 138% in its TVL while its revenue grew by 233% to 18.3 million from $5.5 million. Yearn’s active wallet addresses are also seeing an increase of 31% to 21.5k.