The YFFS Saga: How a Yield Farming Project Was Compelled to Fix Its Code and then Rugpooled

Published in

De.Fi

3 min readNov 10, 2020

Yield farming provides asset-holders with the opportunity to earn tokens through locking into smart contracts for a certain duration. But it also raises the possibility of loss of funds, due to smart contract error or impermanent loss when liquidity pooling, which can occur as a result of dramatic price movement or operator malfeasance. As a result, it’s vital that farmers inspect the code of any project they’re considering staking in.

Performing some basic checks to the integrity of the code can potentially save thousands in losses, not to mention the time wasted on staking in futile projects, when the capital could have been better used elsewhere. De.Fi.info periodically inspects the code of new yield farms to detect anomalies and provide feedback to the community and project team on underlying risks.

Recently, I audited the YFFS project and published the post on the 6th of November.

https://archive.vn/5xsBq / https://twitter.com/de.fi.info/status/1324764207661883392

In essence, the project raised lots of questions. Primarily because its implementation could not be called decentralized.

The trouble was that the owner had a lot of permissions to manipulate the staking process and users’ staced assets, which, consequently, jeopardized users’ funds. For instance, there was a function called YFFSDeflationStake that stopped staking and transferred all staked tokens to the hardcoded EOA address 0x489B689850999F751760a38d03693Bd979C4A690.

https://archive.vn/sVdIF / https://twitter.com/de.fi.info/status/1324764326352343046

These alarming facts made me rate the scam probability as high.

The team’s answer was as follows:

https://archive.vn/02j1c / https://twitter.com/yffsfinance/status/1324774756294426624

I failed to locate any such article addressing this matter.

Also, they tried to deflect and whitewash themself by providing doubtful theses.

https://archive.vn/sRGMt / https://twitter.com/yffsfinance/status/1324792629759037443

However, I couldn’t resist responding and suggested that the YFFS team perform some vital changes for the project to become safer. I proposed adding either a timelock or governance to prevent centralized project control.

https://archive.vn/rC01X / https://twitter.com/de.fi.info/status/1324803253926797315

My next suggestion was about how to implement the necessary changes to renounce contract ownership.

https://archive.vn/Rxi2z / https://twitter.com/de.fi.info/status/1324803436223832064

Consequently, the YFFS team answered, stating that the changes would take place the same day.

https://archive.vn/hi7fy / https://twitter.com/yffsfinance/status/1324918346396041216

A bit later, the YFFS team informed the community that the Admin key had been burnt. Indeed, they called the transferOwnerShip & setGovernanceAddress functions and specified the 0x000 address as a parameter to transfer the YFFSDeflationStake’s contract ownership to. This way they completely got rid of the ability to invoke these functions.

https://archive.vn/AOXon / https://twitter.com/yffsfinance/status/1324960642336399360?s=21

On November 8, the YYFS team posted a tweet thanking De.Fi.info for auditing its code.

https://archive.vn/ahrLX / https://twitter.com/yffsfinance/status/1325477647716024320

Conclusion

To summarize, I revealed unacceptable functionality in the YYFS finance project, outlined that in the report, and informed the community along with the YFFS team. In its turn, after hot discussions with the YFFS team and providing irrefutable facts, the team decided to implement the changes I recommended. This transformed the project for the better.

One more project has improved and become much more trustable, safe, and decentralized. That’s exactly what the community wants.

Together we are heading in the right direction to refine yield farming.

Don’t trust: verify. Always.

Update 25 of December

Eventually, YFFS rug pulled.

The team tried to seem pretty cooperative as they agreed to edit the problematic code as I insisted.

But this step was just a part of the deception. The intentions to steal the user funds did not disappear. The team just pretended being disturbed and interested in security improvements. YFFS made changes to the code only for demonstrative purposes. In fact, the scammers continued to pursue their initial strategy and managed to steal the funds through interactions with FECORE and YFFC tokens.

Check out other articles from the Saga series: