Exploit discovered on Andre Cronje’s latest project yCredit
An exploit has been discovered on yCredit, only a day after the protocol was launched, according to sources.
The yCredit contract is vulnerable to an economic attack that can cause loss of all user funds.
If you deposited into the contract using Etherscan or bought yCredit on Sushiswap, withdraw or sell it immediately.
I’ll publish the exploit after all funds are withdrawn.
— nour (@NourHaridy) January 1, 2021
Launched by Yearn Finance Founder – Andre Cronje, the newly created DeFi protocol was intended to give users ‘tokenized yield credit’, wherein whenever a user makes a deposit, he/she will receive 99.5% of it as a credit line.
However, a disclaimer in the medium article shared by Cronje states,
“ yCredit is experimental. yCredit is not a speculative token. yCredit can be economically exploited.”
The last line, in particular, seems to have been proven, as a developer took to Twitter to claim that he has discovered an exploit of the contract and advised any users that had deposited funds into the contract to withdraw or sell it immediately.
The developer, Nour Haridy, reportedly shared the exploit with other developers who tested the exploit themselves and confirmed the veracity of his claim.
Makes you think, would an audit capture these? What if Andre puts just enough of his own funds to make exploiting attractive? Maybe its even cheaper/faster vs. an audit ?
— Ivan Martinez (@0xKiwi_) January 2, 2021
In fact, more recently, according to developer Ivan Martinez, someone used a different attack vendor on yCredit than the one originally discovered by Haridy.
Amidst these developments, data from Etherscan suggests that people continued to buy in more, despite the imminent warnings about a confirmed exploit.
Many have raised alarms as to why the contract was deployed without being finished and tested. One user expressed his concern on Twitter stating,
“This is why you guys should only release fully finished products – for the sake of yearn, its holders, and not least for your own reputations sake.”
While Yearn Finance was not directly involved in yCredit, this isn’t the first time its founder Andre Cronje has been in the spotlight for ‘untrustworthy’ projects. It is unclear how Yearn’s reputation and price will be affected by these developments.