A two-day-old decentralized cryptocurrency called YAM collapsed on Wednesday after its creators revealed that a software bug had effectively vetoed human governance.
"At approximately 6PM UTC, on Wednesday, August 12, we discovered a bug in the YAM rebasing contract that would mint far more YAM than intended to sell to the Uniswap YAM/yCRV pool, sending a large amount of excess YAM to the protocol reserve," the YAM project explained in a post on Thursday.
"Given YAM’s governance module, this bug would render it impossible to reach quorum, meaning no governance action would be possible and funds in the treasury would be locked."
The bug followed from this line of code...
totalSupply = initSupply.mul(yamsScalingFactor);
...which was supposed to be…
totalSupply = initSupply.mul(yamsScalingFactor).div(BASE);
YAM, a decentralized finance experiment, implements a governance system (for making protocol changes) based on supposed smart contracts that allocates votes based on assets.
"A bug in the distribution logic caused the contracts to mint far far more tokens than intended," explained James Prestwich, founder of crypto biz Summa, in an email to The Register.
"These tokens were owned by the governance contract itself, and therefore couldn't vote. Because they exist and can't vote, it's impossible to ever meet the minimum voter participation. This means governance is permanently disabled, and all other tokens held by the governance contracts are permanently locked."
The code flaw locked up about $750,000 worth of Curve (yCRV) tokens in the YAM treasury, assets intended to serve as a reserve currency to support the value of YAM tokens.
YAM's creators insist the bug didn't directly affect YAM balances or assets in so-called staking contracts, which involve locking cryptocurrencies for a time in exchange for some reward.
Nonetheless, after efforts to regain control of the YAM treasury failed, Yam Finance co-founder Brock Elmore tweeted an apology.
i’m sorry everyone. i’ve failed. thank you for the insane support today. i’m sick with grief— belmore🍠 (@brockjelmore) August 13, 2020
Absent any hope of retaking control of YAM's regulatory system, its tokens, which reached a theoretical value of $183.44 on Wednesday, plummeted to $1.04.
With close to 29 million YAM tokens in circulation, the project had a market capitalization of about $525m at one point yesterday. It still appears to have about $29m in value, if you can find any YAM buyers.
It's not as if cryptocurrency investors couldn't have seen this coming. The project's GitHub repo states explicitly that there's been no audit of the code.
Software bug in Bombardier airliner made planes turn the wrong wayREAD MORE
"Contributors have given their best efforts to ensure the security of these contracts, but make no guarantees," the project's README.md file explains. "It has been spot checked by just a few pairs of eyes. It is a probability – not just a possibility – that there are bugs."
The associated website, yam.finance, also loads a pop-up warning when visited.
"This bug would likely have been caught by in-depth outside review or audit," said Prestwich, who observed that the project attracted interest because its creators leveraged relationships with influencers in the crypto community. "It would certainly have been caught by industry-standard testing practices."
Undeterred by its initial failure, YAM Finance aims to try again.
"We will be setting up a Gitcoin grant to coordinate a community-funded audit of the YAM contracts," the crypto outfit said Thursday in a post-mortem post. "If the funding goal is reached, upon the completion of the audit, we plan to support the launch of YAM 2.0 via migration contract from YAM." ®