Nonfungible tokens aren’t new, but their future looks brighter than ever
State of DeFi: The SYFI Exploit & Lessons From Crypto’s New Wild West
A deep dive into the smart contract exploit that evidently made one trader an instant 747 ETH profit — and what it means for crypto.
This summer, the cryptocurrency industry has seen a resurgence of the kind of reckless investing that typified the 2017 initial coin offering boom. DeFi, or decentralized finance, has quickly grown into a multi-billion-dollar niche — largely thanks to attractive (but arguably unsustainable) staking yields, speculation-driven market action and a modular ecosystem without gatekeepers.
The DeFi ecosystem includes decentralized exchanges, which, unlike their centralized counterparts, have no listing policies or verification requirements, further perpetuating market speculation. With nonexistent oversight, the actual value of many of the projects listed on decentralized trading platforms is naturally questionable. Yet, profit-hungry investors aren't necessarily bothered. If a token has some hype surrounding it (and/or meme potential), it might represent a worthy rollercoaster to hitch a ride on — flawed smart contracts or not.
The latest DeFi "exploit"
Uniswap, the leading decentralized exchange, has become one of the theaters for this renewed speculation in the crypto space. This particular DEX is at the center of the incident OKEx Insights examines in this article. A recent "exploit" involved an obscure derivative of the much-desired yearn.finance token (YFI) and an apparently incredibly lucky, anonymous opportunist. Twitter user Amplify claims to have bagged 747 ETH by exploiting a bug in the Soft Yearn Finance (SYFI) smart contract code by pure chance, without any prior knowledge of said vulnerability.
While Amplify's claims remain unverified, an actor did indeed drain almost all of the liquidity from the Uniswap SYFI/ETH pool earlier in September. Their gain was, of course, a loss for every other token holder. The trade instantly crashed the value of 1 SYFI to less than 0.0001 ETH (from almost 0.4 ETH), and CoinGecko shows that SYFI's price fell to less than $0.001 following the exploit.
If seen in isolation, the incident is nothing new for the crypto space — known for quick rises and so-called exit scams. It does, however, represent some of the major issues prevalent in the DeFi niche that merit a closer look, opening up discussions on the risks inherent in this new wave of speculation.
A bit of background
On Aug. 30, a project known as Soft Yearn Finance announced the launch of its website via Twitter. The project's white paper, published at the same time, detailed a new digital currency called SYFI. The document explains that each SYFI token would be "soft pegged" to the value of the wildly successful yearn.finance token mentioned above, YFI — i.e., 1 SYFI would be equal to 0.0003 YFI.
While the choice to peg SYFI with YFI was clearly driven by the latter's price performance, the mechanism ensuring this peg, known as a rebase, is not understood by most speculators and is at the heart of the incident under discussion.
Popularized by another DeFi project, Ampleforth (AMPL), a rebase mechanism automatically balances token supply — by destroying or minting tokens — to maintain the preset peg. For example, if SYFI's price would drop below the 0.0003 YFI peg, tokens would be burned to support price appreciation until the peg was achieved again. Similarly, in the case of price growth above the peg, new tokens would be minted to dilute the supply and bring the price down.
This entire mechanism is automated via a smart contract, and while token balances fluctuate with each rebase, their dollar value does not.
Apart from this peg to a wildly popular project, the appeal of SYFI is unclear. Judging by Soft Yearn Finance's Telegram group, however, there was sufficient hype surrounding the token for Uniswap traders and yield farmers alike to get excited.
SYFI's initial success
On Aug. 31, just a day after its white paper was released, SYFI announced a presale event via its Twitter, Discord and Telegram groups. However, whitelist applications for the event were open for just one minute on Sept. 1, which meant most buyers missed out on the presale and bought the token when it listed on Uniswap the next day.
This rush of traders resulted in trade volumes exceeding $6 million within four hours of the listing, prompting the team to make an official announcement on Telegram and providing a roadmap summary of sorts.
Paying attention to the SYFI launch was trader and Twitter user Amplify. In correspondence with OKEx Insights, Amplify — who agreed to speak on the condition of anonymity, using only their Twitter handle due to privacy concerns — stated that they became aware of the SYFI token on Sept. 2 via trading groups but missed out on the presale.
Sensing that the token would be popular, the anonymous trader claims to have bought 0.5 ETH worth of SYFI following its Uniswap listing, selling it shortly after for a quick 1 ETH profit.
As the project's first scheduled rebase drew closer, Amplify claims to have observed that many SYFI holders did not fully understand the concept. The trader stated:
"Around the time of the rebase, I noticed that the majority of $SYFI holders had no idea what a rebase meant, or what was going to happen. I saw an opportunity to ride the rebase, watch the community realize their newfound tokens (without realizing their value didn't change) and [they] would buy up the price immediately after."
When Amplify picked up another 0.5 ETH worth of SYFI tokens just before the rebase, they expected to turn a quick profit — not that a bug in the rebase code would suddenly turn their 2 SYFI into 15,551 SYFI, priced on Uniswap at just over 747 ETH.
Unsure if their subsequent sell transaction would even go through, Amplify had seconds to decide whether to attempt the exchange or not. Given how the risk was 0.5 ETH and less than $50 in transaction fees, while the reward was more than $250,000 worth of ETH, the anonymous trader took the gamble and hit sell, receiving the entire ETH stack held in the Uniswap pool. SYFI's price immediately crashed to a fraction of a cent.
In the minutes following, the penny dropped in SYFI's social groups. Users realized that practically all of the liquidity from the Uniswap pool had disappeared and, despite now possessing many more SYFI tokens than prior to the rebase, their value had dropped all but 100%.
Later that evening, the SYFI team released an official statement claiming that there had been a delay between the rebase occurring and the Uniswap price updating. This, combined with a flaw in the rebase calculation itself, allowed a "malicious actor" to wipe out most of the pool's liquidity.
The team, before muting their Telegram and Discord channels, added that they would award a "very large sum of ETH" for the identity of the "wrongdoer(s)."
In correspondence with OKEx Insights, an anonymous SYFI core team member and Telegram channel admin known as "Yarn" described the smart contract bug in greater detail:
"There was an issue with code where a function, getPar, was used to determine the peg. The developer did not take into account adjustments to its parameters to ensure the peg was set to 0.0003 YFI. This resulted in the rebase, inflating the supply by 7,719x."
They went on to reveal that the rebase contract lacked a "call to sync the Uniswap reserve," leading to the wrong price being listed on the decentralized exchange.
The next announcement in the SYFI Telegram group, on Sept. 9, detailed plans to relaunch the project with reimbursements for traders impacted and a fresh injection of liquidity.
Opportunist or malicious actor?
Amplify first claimed to be behind the liquidity-draining trade on Sept. 7 via a lengthy Twitter thread in which they referred to themselves as not a "security expert or developer." Rather than the calculated bug exploit that the SYFI team made it out to be, they claim to have just been in the right place at the right time to take advantage of the situation. According to the trader, the flaws that resulted in their ~$250,000 windfall were completely unknown to them.
Many responded supportively to the thread, stating that they would have done the same had they been in the position to do so. Speaking to OKEx Insights, Amplify said that they chose to go public with the story to "bring closure" to themselves and those that had lost money. The trader, who reiterated their wish to remain anonymous, added that they're grateful for such a community response.
When asked about Amplify's version of events, Yarn from SYFI told OKEx Insights that others had been trying to do the same thing and while some were successful, Amplify managed to take the largest chunk from the liquidity pool.
Yarn also admitted that it was negligence on behalf of a former developer of the project that resulted in the smart contract flaw. The SYFI team member stated:
"In the end, we do not want to run away from the fact that this could have been anyone. Whether it was Amplify or someone else, the results remain the same, and we admit that more thorough testing from the side of our dev should have been done."
DeFi issues highlighted by the SYFI incident
This incident, and a growing list of similar stories, raises various concerns about the seemingly mindless speculation that has returned to the cryptocurrency space thanks to the DeFi boom. These include:
- The race to get in and out of projects early — even those with questionable utility — has previously yielded massive returns. This affords little time to properly consider investments.
- Lack of barriers, financial or technical, to list a token on Uniswap encourages sloppy code implementations and even outright scams.
- Plagiarized code coupled with instant Uniswap listings can invoke a "fear of missing out" among investors, discouraging due diligence and code auditing.
- Despite emerging insurance solutions, traders often remain uncovered in the event of a loss.
- The large losses from smart contract exploits and scams risk could prompt a harsh regulatory clampdown on the entire sector.
Early successes encourage speculation
Driven by their passive income-generating potential, the rapid price appreciations of tokens like Compound's COMP, yearn.finance's YFI and others have helped inspire a level of speculation not seen since the ICO boom. Much like the 2017 mania, large numbers of questionable projects have emerged alongside those that have some apparent utility. However, many rely on copy-pasted code, and clones of already cloned platforms are very common.
Thanks to Uniswap's liquidity pool model, those listing new tokens can inflate their price by adding the first liquidity to a fresh pool. If they manage to engineer a decent level of community hype — as in the recent examples of HOTDOG, PIZZA, YMD and others — they can then dump large holdings onto latecomers. The practice, reminiscent of Ponzi schemes, has become known as a "rug pull" in the industry.
Of course, given that the trajectory of such projects is often very much upward to begin with, many speculators attempt to get into the market early to front-run any potential dump. This is the very strategy Amplify claims to have deployed, which resulted in their profitable trade prior to the failed rebase.
In their comments to OKEx Insights, Amplify was keen to distinguish between DeFi and what they describe as "aping into shitcoins," which is akin to gambling:
"Treat it like it is, a casino. You don't walk into a casino with your life savings with the expectation that you will make it big. […] Keep your bets very small because the reality of Uniswap shitcoin trading seems to be you either win big or go home with nothing."
Quick listings invite sloppy or malicious code
The backbone of this renewed speculative wave is the decentralized exchange Uniswap. Unlike more traditional cryptocurrency trading venues, anyone can add any ERC-20 token to the platform. Listings take just minutes, require minimum expense (only Ethereum gas fees) and there's no vetting process whatsoever.
This has encouraged the listing and trading of tokens with questionable utility, exploitable smart contracts and even malicious backdoors. Seeing rising trading volumes on platforms like Uniswap, centralized exchanges can, in turn, feel the pressure to add trading pairs for brand new, unaudited tokens — naturally inviting criticism from the industry.
A recent high-profile case is that of the Uniswap fork SushiSwap. The project's anonymous lead developer, "Chef Nomi," possessed the only key to the developer share of SUSHI tokens. This allowed them to cash out around $14 million on Sept. 7, crashing the price of the token and damaging its reputation.
While Chef Nomi has since returned the ETH alongside a public apology, the whole episode demonstrates how wild this new frontier really is.
In an even more brazen example, it emerged at the beginning of September that another obscure project called YUNo Finance actually had a backdoor in its code that allowed its developers to mint an infinite number of YUNO tokens. In a particularly frank admission, the YUNo Finance website's homepage features a post, apparently from the project's developer. Within it, they comment that various recently launched projects had copied YUNo's "crappy code," which itself had been copied from SushiSwap. The post continues:
"If you've got burnt, well learn your lesson. […] For those who are interested about the 'mint()' function. Yes, I can call and print money like Hotdog does."
Many smart contracts are completely unaudited
SUSHI, YUNO, SYFI and many other recent examples highlight the risks of trading unaudited, rushed-to-exchange tokens. With the earliest buyers and liquidity providers often realizing the greatest gains, and a lack of the kind of listing criteria enforced by many of the largest centralized exchanges, token markets can quickly expand before thorough reviews of the underlying code can take place.
Although interest in DeFi has been growing throughout 2020, August saw the total value locked in smart contracts really boom. Coinciding with the sudden uptick was the rise and fall of the first iteration of Yam Finance (YAM). In a matter of days, the project reached an all-time high market capitalization of $57 million, having inspired investors with its own yield-farming pitch.
As cited by Cointelegraph, notable industry experts condemned YAM around its Aug. 11 launch. MyCrypto's Taylor Monahan described the project as DeFi's turning point from "a bit wild to downright scary." Meanwhile, well-known Bitcoin-focused software engineer Jameson Lopp called for social exclusion of those promoting "ridiculously irresponsible financial products."
Like SYFY, YAM has a rebase function, and like SYFY, said rebase function failed just days after launch. The similarities don't end here, as both projects initially attracted large markets on Uniswap before smart contract flaws led to crashes, forcing second iterations.
YAM's current website now features an immediate user warning. However, it could just as easily speak for a large percentage of the new tokens hitting Uniswap each day:
In the case of SYFI, however, Amplify suggests that things were a bit more complicated, and deliberate. Amplify told OKEx Insights that they believe the SYFI bug may have been a malicious play by its developers to enable an exit scam:
"I still believe the developers were responsible for the error. One of the team members, when asked about if they would do an audit, said 'Audits are expensive, will do one after.' I agree. Audits are expensive, but the team raised 400 ETH in the presale. It's difficult to believe they ever had any intention of auditing their code, and I have presented the narrative that it is possible this token was designed with this rebase bug in mind to make for a blameless exit scam by the developers."
Professional auditors are hardly lacking in the industry today. Firms like Certik and Quantstamp Labs are just two of a growing number of those offering smart contract security services. Both firms boast impressive statistics from what many would describe as the more legitimate side of the cryptocurrency industry.
Certik claims to have conducted more than 220 audits and reviewed 188,000 lines of code. Meanwhile, Quantstamp Labs comprises an experienced team drawn from both the technology and finance industries and has worked with the likes of Libra, Ethereum, Polkadot and Hyperledger.
Although the number of teams working with smart contract security experts is growing, many continue to launch projects with unaudited code. Naturally, those deploying intentionally malicious protocols are among them.
However, as Yarn suggested, projects purporting to be legitimate can also opt out of code reviews. The SYFI core team member claims that eagerness to launch influenced their decision to remain unaudited.
Speaking on the POV Crypto YouTube channel in February 2020, Richard Ma, CEO of Quantstamp, commented that the problem of unaudited smart contracts is just as prevalent today as it was in 2017.
He stated that, although developer skills have improved a lot in recent years, the increasing complexity of decentralized applications creates new attack vectors. The subsequent "stacking" of new, often unaudited decentralized finance applications invites even greater risk.
Unfortunately, even audits are not conclusive. As Quantstamp notes in a recent blog post, Yearn, despite having had its security reviewed by the audit firm in July, updated its code within a month, giving rise to new potential vulnerabilities.
Despite the growing number of smart contract exploits of late, Certik's lead Ethereum auditor, Dominik Teiml, spoke optimistically about current efforts to bring greater security to DeFi at a May 2020 OKEx Academy Talk:
"We can never be 100% sure something is secure. However, I am very optimistic we can achieve high-security guarantees with the proper measures. Extensive and intensive audits, formal verification, generous bug bounties…"
The smart contract security expert added that users should always look for an audit report before committing funds to a new protocol.
Protection against smart contract failures still largely absent
With DeFi, liquidity mining and decentralized exchanges still emerging niches within the wider cryptocurrency industry, the number of exploits, "rug pulls" and smart contract bugs continues to grow. Although insurance solutions, such as Nexus Mutual, Opyn and others are available, we're yet to see them find widespread adoption among speculators.
Speaking on the Covalent YouTube channel in May 2020, Aparna Krishnan, the co-founder of Opyn, stated that speculators in the DeFi niche remained reluctant to take up those protections on offer. Given the explosion of activity since her statement and the fact that many of those trading or liquidity mining questionable tokens proudly refer to themselves as "degens" — a shortened form of the word "degenerate" — it stands to reason that something as safe and sensible as insurance wouldn't find much appeal.
Krishnan concluded: "It's not exciting enough for people to buy insurance for something like that."
Complicating matters is the fact that these early insurance solutions can fall victim to smart contract exploits themselves. In early August 2020, a flaw in one of Opyn's smart contracts allowed attackers to make off with around 370,000 USDC. However, some solutions for protection against smart contract exploits are starting to see rising engagement. Described by its founder, Hugh Karp, as risk-sharing discretionary cover, Nexus Mutual currently offers its users more than $200 million worth of coverage — the lion's share of which was added after Sept. 13.
While this is a small fraction of the total losses due to smart contract failure to date, it is better than nothing. Curiously, Frost Brown Todd LLC attorney John Wagster recently told Cointelegraph that Nexus Mutual actually offered coverage for the YAM token, but there weren't any buyers — a fact that indicates either a lack of awareness or concern for risk management in the space.
How will regulators respond?
The ever-mounting total of funds lost to exploits, either malicious or otherwise, will have surely struck a chord with global financial regulators, who are already watching the industry closely.
In a recent OKEx Insights article, we discussed the stance regulators have taken thus far toward the sector, referencing the case of DEX EtherDelta, which, in 2018, the U.S. SEC deemed to be operating as an unregistered exchange. The judgment followed a report by the agency on the decentralized autonomous organization The DAO, which established that certain digital currencies were to be considered securities.
Numerous recent rulings, such as the emergency restraining order against the social messaging firm Telegram, showed that the agency was eventually prepared to come down hard against ICO offerings. It seems only a matter of time before it starts scrutinizing DeFi projects as well.
Speaking with OKEx Insights, Kristi Swartz, a managing partner at Swartz, Binnersley & Associates, questioned whether or not regulators would eventually hold smart contract developers responsible for loss of investor funds through exploits. She added:
"Similarly, consideration should be given as to governance — which regulator may be involved, which governing law does the contract rely on?"
Swartz also speculated as to whether agencies would even be able to offer protection for vulnerabilities in code. However regulators approach the industry, she advised that those using decentralized financial protocols should always research a smart contract before committing funds to it.
Is DeFi riskier than ICOs?
Like ICOs before them, the latest trend of yield farming in DeFi has encouraged a new wave of risk-taking and speculation. While ICOs — even the scams — generally had a semblance of legitimacy around them, most DeFi protocols are anonymous, openly plagiarized and listed instantly on decentralized exchanges in the absence of gatekeepers.
Based on previous price performances and attractive passive income streams, market participants feel the pressure to "buy now and ask questions later." As a result, prices of tokens with backdoors and exploitable code often end up skyrocketing, creating a powerful incentive for bad actors to exploit vulnerabilities or for developers to pull the proverbial rug. This risk of waking up to find all your money gone one day wasn't as prevalent with ICOs.
That being said, some of the responsibility must surely fall on the shoulders of those rushing to use, and attempting to profit from, these brand new, unaudited financial protocols.
The fact that SYFI v2 launched on Sept. 12 — and according to CoinGecko, had attracted another $2.2 million of trade volume just nine hours after the relaunch — indicates that many understand the risks but choose to take them anyway.
Given the large sums of money being lost to smart contract failures, the growing trading volumes on decentralized exchanges and the rising numbers of outright scams in the industry, it seems only a matter of time before regulators once again step up their efforts to protect investors.
A regulatory clampdown helped spell the end of the ICO mania following the 2017 boom, and it is fair to assume that a similar fate awaits the DeFi sector.
Disclaimer: This material should not be taken as the basis for making investment decisions, nor be construed as a recommendation to engage in investment transactions. Trading digital assets involve significant risk and can result in the loss of your invested capital. You should ensure that you fully understand the risk involved and take into consideration your level of experience, investment objectives and seek independent financial advice if necessary.
OKEx Insights presents market analyses, in-depth features, original research & curated news from crypto professionals.