2020/08/13 Yam Finance Smart Contract Bug Analysis & Future Prevention

What Happened?

On August 12th, Yam Finance officially announced that a smart contract bug was found that would mint more YAM tokens than actually intended during its rebase event, which is a planned mint/burn event meant to keep the price stable over time. Yam Finance uses an elastic supply of YAM tokens to stabilize the price, similar to Ampleforth, a CertiK client.

Where Is The Smart Contract Bug?

The bug is in the rebase function of smart contract YAM.sol in the YAM project, as shown in the following screenshot:

Can Governance Fix This Bug?

YAM Finance publicly announced they need around 160,000 YAM by 3am EDT to be able to submit a proposal that would allow users to transfer or deposit tokens back into the staking pool if the delegated voting power above 400,000 YAM. This proposal needed to be submitted by 3am EDT since the next rebase was set to happen at 4am EST on August 13th.

Current State and Future Plans

Due to this smart contract bug, YAM Finance lost the ability to govern. Additionally, 75% of the YAM/yCRV uniswap pool has been liquidated and moved out of the pool, while the rest has been completely removed.

How Can We Prevent this Moving Forward?

Official Website: https://certik.io