It has been one crazy event after another in the Decentralized Finance (DeFi) world. This incident involves a spectacular pump, a catastrophic bug, and one lucky individual. Further, it highlights the importance of understanding the financial risk associated with DeFi applications.
What is SYFI?
Soft Yearn Finance (SYFI) is a DeFi project labeled as “A Fundamentally Yield-Stable Cryptocurrency.” Essentially, it was supposed to be nothing more than an artificially pegged token to the Yearn Finance token (YFI).
SYFI was supposed to be “soft pegged” to 0.0003 YFI. Through a re-balancing mechanism, whenever the price of 0.0003 YFI deviates significantly from the price of 1 SYFI, an expansion or contraction algorithm is enabled to counteract the price deviation. This is achieved through “overriding the balance, every 24 hours, in every wallet holding SYFI with respect to the percentage of the supply” according to the whitepaper. This process of overriding the token holder balances is called a “rebase.”
Once listed on uniswap, a decentralized protocol for exchanging tokens, the price per token exploded to over $160. But, during the very first rebase it immediately plummeted.
So what happened?
The protocol did not properly handle the rebase event. It allowed a user to initiate a uniswap sell transaction just after the wallet balances were modified, but before any price change in the token was recorded. As with the bug that brought down Yam Finance, this critical oversight exemplifies the risk in using unaudited smart contracts and untested DeFi projects.
To make matters even worse, the rebase itself acted incorrectly. The rate of YFI to SYFI was improperly coded, so an incorrect balance change was initiated.
Together these two mistakes allowed for a transaction to be initiated which would essentially withdraw the collective funds contained within the pool.
Here is a Twitter thread posted by the individual who claims to be the beneficiary of this smart contract exploit opportunity. He or she was able to turn around $200 into over $250,000 within minutes, draining almost all of the pool’s liquidity with a single transaction.
Here is the transaction where the individual spent 0.5 WETH (worth around $165 at the time) for just over 2 SYFI using Uniswap v2. This transaction was included in a block at 07:43:53 UTC on Sep 3rd.
“I am staring at the uniswap UI with bated breath when the 2 $SYFI turns into 15,551, and subsequently the price quote for these tokens being over 740ETH…” (tweet)
Just 15 minutes later, at 08:01:14 this transaction transferred out 747.3 WETH (worth over $250,000 at the time) back to the individual.
You can see that the address (0x7db7f9ce1185ae8398224f0c041ffebe491a7fc5) since then has made a number of transactions, mostly for 1 ETH. These seem to be people who lost money in the event which the user is kind enough to be paying back; this transaction, for example, pays an address posted by a twitter user who lost funds in the incident.
Many have blamed the individual for their lost funds, calling them a “malicious actor.” The reality is, in fact, that the exploit was almost sure to be discovered and used by someone else (intentionally or not).
Just as was done in the Yam Finance incident where a migration plan was initiated to try and save the project (but failed), the Soft Yearn team apologized in their discord (with almost 7000 members at the time of writing) and asked folks to “please bear with us while we work on sYFIV2 to fix things.”
Decentralized financial systems allow people the freedom to do what they want with their money. This freedom comes with the responsibility of dealing with the results of one’s actions.
If you do not understand the risks of a particular product or service, you probably should not use it.