The vulnerability was discovered on the 24th of September and then made fully public on the 25th.
It seems to have been a pretty simple oversight in as far “triggering a faulty earn() could manipulate the share price, allowing you to buy the dip,” the report says.
They claim this wasn’t exploited, but they also say this was discovered when some users reported losing money because the share price had dipped as pictured above.
It’s not clear whether YFI’s price had some advanced knowledge of this because it more than halved before recovering:
$20,000 seems to be fairly strong support here at a market cap of $600 million for this code based investment dapp ecosystem that currently has $800 million worth of locked assets.
Its market cap has now risen to nearly $900 million with this being a second oversight as an A parameter on the Y Curve pool gave people cheap dai for months.
This latest vulnerability however was quickly resolved by switching to a previous strategy which apparently anyone can do as long as that strategy has been previously approved.
While the A parameter was going through a Curve vote with the team not yet re-launching the yETH vault as “we’ve hit a blocker and we are solving it,” they said with no estimate of re-launch except “soon.”
Many of these are very new dapps which makes them risky as they haven’t quite gone through the test of time and because they hold huge amounts in what must be the biggest bounty ever.
That’s if they can get away with it. It’s not clear whether Vitalik would just cancel in that sort of situation, but obviously that’s not a repeat anyone wants to see.