Another Polygon Yield Farm Crashes to Zero After Exploit

An unknown attacker minted an excess supply of YELD, PolyYeld Finance’s governance token.

Key Takeaways

PolyYeld Finance’s YELD token has crashed to zero after attackers exploited a vulnerability to mint nearly 4.9 trillion tokens.

The attack targeted PolyYeld’s Masterchef pool, which contained xYELD tokens.

Several other yield farming projects on Polygon have suffered similar attacks in recent months.

PolyYeld Finance was exploited today, leading to a price collapse of its native token.

Attacker Exploits PolyYeld Vulnerability 

PolyYeld Finance’s native token has collapsed to zero after attackers took advantage of a vulnerability to mint an excess supply of tokens.

According to security firm PeckShield, the attacker successfully minted nearly 4.9 trillion YELD tokens. They sold a portion of them for roughly 123 ETH, worth about $250,000 at today’s prices.

The attacker exploited a vulnerability in the PolyYeld Masterchef contract, a type of contract used by yield farms to distribute rewards. The attack targeted a Masterchef pool containing another token called xYELD, which generated passive income for holders by charging fees on each transaction and distributing them as YELD rewards.

In a note shared on Telegram, the PolyYeld team claimed that its Masterchef contract could not support xYELD’s reward distribution system, which allowed the attack to take place. They said:

“[The] xYELD token contains a transfer tax which was added to Masterchef, which unfortunately could not support tokens with transfer taxes.”

The lack of Masterchef support meant attackers could mint free reward tokens by shrinking the value of the xYELD liquidity pool.

The Masterchef contract was invented for distributing rewards for liquidity pool tokens. But more recently, yield farms on Binance Smart Chain and Polygon have started using master contracts for single asset tokens or “transfer fee tokens” like xYELD.

Security firm PeckShield explained that a deflationary token such as xYELD charges a fee on its transfers. With repeated deposits and withdrawals, the xYELD balance was shrunk down maliciously up to 1 WEI, the smallest denomination of 1 Polygon.

A Masterchef contract estimates rewards by dividing the pool value by the value of tokens staked, meaning if the pool value is reduced, it can dramatically inflate the rewards. Xuxian Jiang, founder and CEO of PeckShield, told CryptoBriefing:

“By repeated deposits and withdraws with the MasterChef, the attacker frequently triggers the tax collection. This gradually reduces the xYELD balance of MasterChef to 1 WEI, which led to actual exploitation.”

As the attackers minted 4.9 trillion tokens and sold a portion of them, the market was immediately flooded, leading the price to collapse to zero. According to PolyYeld’s website, the maximum supply was intended to be 62,100 YELD tokens.

Source: TradingView

Since the attack, the price of YELD has crashed from $25 to $0 in the space of a day. Meanwhile, xYELD is down from $100 to around $7, as per Dex Guru.

In the note posted in the PolyYeld Telegram group, the team asked users to unstake their funds. It added that it was considering a compensation plan and promised a report in the coming days. Meanwhile, the Telegram group remains muted along with other channels of communication.

This is yet another security instance involving Polygon-based yield farms. In recent months, projects such as Iron Finance, PolyWhale, and SafeDollar were targeted in a similar fashion, wherein attackers hyperinflated the token supply and caused a price collapse.

PolyYeld held more than $20 million in total value locked as of last week.

Disclaimer Read More Read Less

The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.

You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.

See full terms and conditions.

Source: cryptobriefing.com