Vulnerability of Yield Farms

By giving investors a new platform to diversify their portfolios, the promise of Decentralized Finance (DeFi) is starting to take shape. However, with the rise in investors’ participation, there’s also been a rise in exploits of yield farms

Across all chains, DeFi protocols have about $80 billion in Total Value Locked (TVL), according to DefiLlama, with that number having crested at an all-time high of more than $250 billion during the latest bull run. With all this capital in the crypto ecosystem, investors have discovered yield farming to be an attractive way to enhance their returns.

At the same time, this has created opportunities for bad actors to steal users’ funds by deploying exploits, often with enough ferocity to hijack entire projects. By now, millions upon millions of dollars have been stolen, mainly through anonymous hacks, with very little finding their way back.

The majority of these exploits are based on unseen and unintentional bugs in a protocol’s mart contract. That happened with KetchupSwap, Lokum, YBear, Piggy, CaramelSwap, GoCerberus, and GarudaSwap -- all yield farms operating on BNB Chain.

The attackers of these projects found out that these projects were using the same MasterChef Contract to distribute rewards. Due to an error in this contract, nearly $10 million was stolen, plummeting the prices of their native tokens close to $0.

Of course, such exploits are not exclusive to BNB Chain. For example, on Polygon, the value of the PolyYeld Finance project also collapsed to $0 after attackers found a vulnerability to mint an excess supply of YELD tokens. According to PeckShield, $250,000 was stolen overnight.

Improving Security

To combat the rise of exploits, different yield farms are adopting various strategies to ensure they are not the target of the next hack. GarudaSwap initiated Thoreum Finance, which introduces smart contract upgrades that are “security proofed,” known as THOREUM Masterchef.

On the other hand, Curve Finance uses different strategies to mitigate the risk of exploits. That includes Security Auditing of their smart contracts, where experts double-check the code for any bugs, and the use of Curve Emergency DAO, where participants can vote to pause and unpause the pool if they find something “fishy.”

With any type of investment, there will always be some level of risk. As the amount of money at stake continues to increase, and accordingly the potential rewards for successful hackers, yield farms are adopting more conservative stances and defensive approaches in order to minimize margins of error.

As exploits grow more sophisticated, projects must continuously monitor, test and update potentially vulnerable lines of code.