YTRU incident and FaaS improvements
YTRU case summary
The Yield Trust (ytru.finance) project contacted the Value DeFi team via Twitter when we first originally announced the availability of our Farms-as-a-Service product. YTRU launched their FaaS pool WETH/YTRU 50/50 at start block https://t.co/L7tPCcu7lF?amp=1 . Since we did not have a GUI for the creation yet, we helped the YTRU team create their FaaS pool and set the governance address to their address for post-deployment, a standard procedure that took less than 5 minutes our time. (Note: anyone who understands coding could have followed the same steps without our intervention). By design, the governance address of the FaaS fund contract has full control over the underlying assets in the contract and as well of its other parameters. The YTRU team sent 5200 YTRU token to the FaaS reward fund contract as incentive rewards for their LPs as proposed.
Since we had not implemented the whitelist feature on our frontend for FaaS yet, any FaaS pool would automatically appears there. After checking the YTRU contract and after making sure the token could not be minted, we made a short announcement about the YTRU/WETH new FaaS pool. The fact we knew new tokens could not be minted above and beyond to supply count of 30,000 YTRUs, we determined the likelihood of a rugpull was going to be low as the owner of the token would not have been able to mint an infinite amount of tokens and sell them to LPs.
On Nov-08–2020 at 02:02:28 AM +UTC, the YTRU team used their YTRU deployer to send the remaining 10400 YTRU tokens in the FaaS reward fund contract to their governance address 0x2fcc7e3536bfaaa458413b775761eda44124f680 (see txid https://etherscan.io/tx/0xb7710af22ec1256fedf4b6c08430d9d8f5d8178299e3c956e55b39009dae2a74) and then sold all of those YTRU tokens for ETHs. After this first sale, they used their governance address to withdraw the remaining 5,174 YTRU from the FaaS reward contract and sold these remaining YTRU as well (see txid: https://etherscan.io/tx/0x92aaa911e9f513fa393908dbc34ef6fd8bb9fd46e257e941c380c9ea48fefce4).
We identified the suspicious transactions and contacted the Yield Trust team right away for clarification. However, they failed to respond to any of our inquiries.
While YTRU used the plug-and-play FaaS technology to integrate a pool with their token into our platform, no formal partnership exists between Value DeFi and the YTRU team.
Solution for affected liquidity providers
To ensure fairness for this first occurrence on the FaaS platform, we will decide on resolution through a governance vote.
FaaS improvements
We would like to truly thank the community for their great ideas and suggestions on how we can further improve the FaaS platform.
Farms-as-a-Service is one of Value DeFi’s core products and while the Value DeFi team will take many precautions to ensure the authenticity of new projects coming onboard, the plug-and-play aspect of FaaS makes it nearly impossible for the Value DeFi team to mitigate all risks. This being said, and moving forward, we will be adding a clear disclaimer and warning message to the user-interface of LPs to ensure the risks are well understood by all investors.
In addition, we will be implementing a Trust Score, which will be a combination of many factors such as Technical Score, Business Score, and Community Score. Details of Trust Score will be explained in a separate article.
