YFV Update: Staking Pool Exploit
FUNDS ARE SAFU
On Monday, August 24th, the team identified an exploit for the YFV staking pool that enables malicious actors to individually reset timers for staked YFV. This attack is not economically sustainable in the long run due to gas fees, but hackers could still delay YFV claims and inconvenience members of the community who have staked their YFV. A malicious actor is currently attempting to extort the team by threatening this tactic.
We have identified this malicious actor as a resentful farmer who had, despite our repeated announcements and reminders from the community, neglected to remove his funds from Pool 0 before its close at 7:52AM UTC today. Upon hearing that the team decided to leave the decision of whether to rescue his funds up to the community, he decided to resort to threats and extortion.
The team is committed to acting swiftly on behalf of our community, and have decided to take the following actions:
(1) Inform all stakers to stop staking YFV in the current staking pool and to remove their funds as soon as their timers allow. We have removed the staking option on the frontend UI for this purpose.
(2) Burn the current YFV staking pool by the next epoch (timestamp = 1598623238 or Friday, August 28, 2020 2:00:38 PM GMT+0). In effect, this will amount to a 14.75% supply burn. If the community wants a new staking pool, we will work on a plan to migrate to a new staking pool as soon as possible.
(3) Rescue funds currently trapped in the pool. The team has formulated a plan to unwind the YFV staked in the pool, but at this time will not disclose it in order to prevent interference from malicious actors.
(4) Compensate any community members (if any) affected by timer reset attacks who for whatever reason did not benefit from the rescue plan. We will draw upon our Dev fund (~300K YFV) to make affected community members whole.
This situation is still evolving, but we will provide any further updates as quickly as possible.
As you might imagine, this is not the news we would have hoped to deliver so shortly after our last announcement regarding the minting keys. We absolutely owe the community another apology for this new incident.
Nonetheless, we are committed to providing complete transparency, protect staked funds, and do whatever necessary to preserve and improve the community’s trust in the YFV project now and going forward. Thank you for your time and for contributing to the YFV ecosystem. Please anticipate an update and better news as the situation unfolds.