Back to the list

Polygon-based protocol exploited in a TITAN-style attack; YELD crashes 100%

crypto-economy.com 28 July 2021 14:57, UTC
Reading time: ~3 m

Polygon-based yield farming protocol, PolyYeld Finance has become the latest victim of an exploit in its smart contracts. According to the blockchain security and data analytics firm PeckShield Inc., hackers were able to mint 4,995 billion of native YELD tokens and later swap 4% of them to approximately 123 ETH [with roughly $250K].Prominent decentralized finance [DeFi] platforms QuickSwap, SushiSwap as well ApeSwap were used for the hack. As a result of the hack, YELD slashed all of its value and crashed by 100%. It was currently reeling close to zero. 

The company also brought to light that the hack was due to the lack of deflationary token support in MasterChef. Note: MasterChef contract is used by a lot of yield farms including the popular Binance Smart Chain-based giant PancakeSwap to distribute incentives.

Coming back to PeckShield’s investigation, the firm explained that a deflationary token xYELD charges a fee on its transfers. The xYELD balance of the pool becomes 1 WEI, as a result of repeated deposits and withdraws. This is what paved the way for actual exploitation, claims the security firm.

The hack was due to the lack of deflationary token support in MasterChef. Specifically, a deflationary token xYELD charges a fee on its transfers. With repeated deposits and withdraws, the xYELD balance of the pool becomes 1 WEI, which sets the stage for actual exploitation. pic.twitter.com/W7EQA0JVi4

— PeckShield Inc. (@peckshield) July 28, 2021

PeckShield also detailed,

“In the exploit, the calculation of YELD reward relies on the xYELD balance of the pool, which is currently 1 WEI. Such a low pool balance is considered as the total staked amount, hence dramatically inflating the reward amount to the attacker (with the 4,995 billion YELD).”

In addition to that, the firm also mentioned that the gain of 123 ETH was transferred to Ethereum through Polygon Ether Bridge almost immediately. PolyYeld Finance, on the other hand, is yet to acknowledge or publish a post-mortem report of the same. 

It is important to understand that, Polygon-based DeFi protocols have showcased tremendous innovation in a very short span of time. The decentralized finance space has continued to see hundreds of millions of funds being lost from hacks, theft, rug pulls, and system failure ever since the disruptive subsector of the crypto exploded in popularity.

The TITAN haunts

According to Paladin Blockchain Security, PolyYeld Layer1’s Masterchef was exploited using a similar mechanism to the fall of Cerberus, Garuda, Ketchup, Piggy, CaramelSwap and others. The firm noted,

“Yeld token contains a transfer tax and was added to pid 16 on the Yeld L1 Masterchef, which unfortunately could not support tokens with transfer taxes. The referral system minted 4.9 trillion Yeld tokens which were then dumped on the market.”

Crypto-economy had earlier reported the fall of Iron Finance’s DeFi robbery, and a case of elaborate rug pul that triggered its native token, TITAN to coil back to zero. 

Back to the list

Similar news
Suggest news