After an exploit, another Polygon Yield Farm goes to zero.

PolyYeld Finance's governance token, YELD, was produced in excess by an unknown attacker. Important Points to Remember.


  • After attackers used a vulnerability to generate roughly 4.9 trillion tokens, PolyYeld Finance's YELD token has plummeted to zero.
  • PolyYeld's Masterchef pool, which included xYELD tokens, was the focus of the attack.
  • Several other Polygon yield farming ventures have been targeted in recent months.

Exploits used by attackers Vulnerability to PolyYeld

PolyYeld Finance's native token has been devalued to zero after attackers exploited a flaw to create an excessive amount of tokens.

The attacker successfully generated over 4.9 trillion YELD tokens, according to security firm PeckShield. They sold a portion of them for around 123 ETH, which is roughly $250,000 today.

The hacker took advantage of a flaw in the PolyYeld Masterchef contract, which is utilized by yield farms to distribute incentives. The attack was launched against a Masterchef pool that contained another token called xYELD, which created passive income for holders by charging fees on each transaction and distributing the fees as YELD rewards.

The PolyYeld team said in a Telegram message that its Masterchef contract couldn't support xYELD's incentive distribution scheme, allowing the attack to go place. They explained:

“[The] xYELD token contains a transfer tax that was applied to Masterchef, which could not handle tokens with transfer taxes due to its limitations.”

Due to the lack of Masterchef functionality, attackers were able to create free reward tokens by depleting the xYELD liquidity pool.

The Masterchef contract was created to distribute liquidity pool token awards. Yield farms on Binance Smart Chain and Polygon, however, have lately begun to use master contracts for single asset tokens or "transfer fee tokens" like xYELD.

A deflationary token, such as xYELD, charges a price on transfers, according to security firm PeckShield. The xYELD balance was fraudulently decreased down to 1 WEI, the smallest denomination of 1 Polygon, by repetitive deposits and withdrawals.

A Masterchef contract calculates incentives by dividing the pool value by the value of staked tokens, which means that if the pool value is reduced, the awards can skyrocket. PeckShield's founder and CEO, Xuxian Jiang, told CryptoBriefing:

“The attacker regularly triggers the tax collection by making numerous transactions and withdrawals with the MasterChef. This eventually reduces MasterChef's xYELD balance to 1 WEI, resulting in genuine exploitation.”

The market was instantly filled as the attackers generated 4.9 trillion tokens and sold a fraction of them, causing the price to plummet to zero. The maximum supply was supposed to be 62,100 YELD tokens, according to PolyYeld's website.

The price of YELD has dropped from $25 to $0 in less than a day since the attack. Meanwhile, according to Dex Guru, xYELD has dropped from $100 to roughly $7.

The team requested users to unstake their assets in a note sent to the PolyYeld Telegram group. It went on to say that it was considering a compensation plan and that it would provide an update in the following days. Meanwhile, the Telegram group, as well as other means of communication, has been silenced.

This is another another security incident involving yield farms based on polygons. In recent months, companies like Iron Finance, PolyWhale, and SafeDollar have all been targeted in a similar way, with attackers inflating token supply and causing a price crash. As of last week, PolyYeld had more than $20 million in total value locked up.

Share:

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Hot Topic

Did the Ethereum Merge Go Wrong?

Ethereum is in a state of instability as a result of the merger. Was it all worth it? Some Ethereum supporters aren't so certain. What a...

counter, at the bottom of the page, in a table, div or under a menu.