Yam Finance thwarts governance attack aimed at hijacking its treasury

Quick Take

  • The attacker introduced a governance proposal that would have transferred control of the Yam Finance reserves to the hacker’s wallet.
  • Yam Finance has a treasury worth more than $3 million.

Yam Finance, a decentralized finance (DeFi) protocol, prevented a malicious governance attack designed to cede control of its reserves to an unknown third party, the project said on Saturday.

According to a preliminary report issued by Yam DAO, the attack was launched on July 7, but detected two days later. The attacker submitted a governance proposal via internal transactions, making it difficult for community members to notice.

This malicious governance proposal included an unverified contract designed to transfer control of Yam’s reserves to a wallet address controlled by the attacker. The rogue actor was initially able to achieve a quorum for the proposal that was in danger of being passed before it was stopped by the Yam Finance team.

If the attack had succeeded, it would have been able to drain the Yam Finance treasury, which currently holds $3.1 million worth of crypto assets, according to data from DeepDAO.

Yam Finance said the attack was similar to another attempt made in December 2021.

Saturday’s attack came amid another governance tussle within the Yam ecosystem, also related to the project’s treasury. The issue was another disputed governance vote — this time, a snapshot vote — that aimed to make the project’s treasury redeemable at a pro-rata rate.

While the initial snapshot vote passed with more than a 54% majority, there are now calls for the process to be redone. Some community members have submitted a new proposal for a re-vote, claiming that the original process did not go through the usual governance procedures.

Yam Finance was one of the projects that emerged from the early DeFi boom in the summer of 2020. Originally a stablecoin protocol, the project pivoted to become a DeFi hub after a major bug occurred during a migration barely two days into the life of the project.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.