Yam Finance Successfully Thwarts $3.1 Million Governance Attack

The team at DeFi protocol Yam Finance has successfully blocked an attempt to wipe out the project’s treasury, worth US$3.1 million. The would-be attacker had introduced a governance proposal that would have transferred control of Yam Finance’s reserves to the hacker’s wallet.

According to a preliminary report issued by Yam DAO, the attack was launched on July 7 but was only detected two days later:

The attacker submitted a governance proposal via internal transactions, thus making it difficult for community members to notice it. The malicious proposal included an unverified contract designed to transfer control of the platform’s reserves to a wallet address controlled by the attacker. If the exploit had succeeded, the attacker would have been able to drain Yam’s treasury.

Attacker Puts Up Native Tokens to Reach Quorum

Shortly after the proposal was created, the attacker voted on the proposal using 224,739 YAM (native tokens) – a number sufficient to reach a quorum. However, the team at Yam was able to cancel the proposal using their privileges, thus blocking the attack.

After the native token took a tumble, the YAM community voted on a “Redemption Proposal” that would have allowed token holders to redeem YAM tokens from the treasury for about US$0.25 each. The proposal was passed on July 8, with 54.14 percent of voters supporting it. Three days later, the team at Yam suggested a re-vote be taken to allow more time for discussion: