- An out-of-order harvest has unveiled a deeper issue in single-sided Curve DAI strategy.
- A method it used to estimate its assets has led the strategy to believe it had suffered losses.
- yvDAI v2 vault experienced a temporary share price dip during the incident.
- No funds were lost and the share price has been restored after the strategy was migrated.
SingleSidedCrvDAI
strategy deposits DAI into the ib3CRV
pool on Curve and then deposits that into another Yearn vault. The Curve pool contains cyDAI, cyUSDT and cyUSDC.
The value of the strategy's position is calculated in the estimatedTotalAssets
function. It aims to return the total value that could actually be obtained from the strategy if it were to divest its entire position based on the current on-chain conditions.
It does this by simulating a withdrawal of all assets from the Curve pool back to DAI. As the strategy grew over time the size of this simulation increased until it was simulating a single 85,270,663 DAI withdrawal. Behind the scenes this is equivalent of selling a very large amount of USDT and USDC in a single trade which would cause a large loss.
A loss of 4,932,713 DAI was incorrectly reported during the harvest
function call[1] which updates the vault's profit and loss figures. This amount is equivalent to the slippage of a single-sided 85.27 million DAI withdrawal.
This was a paper loss as the trade didn't happen. It was a simulation to determine how much DAI would be returned if all funds were divested at once.
The strategy should have used non-manipulatable get_virtual_price
function to estimate its assets.
estimatedTotalAssets
function was changed to report assets based on virtual price of the Curve pool rather than the realisable value[2].
The first harvest
of the fixed strategy has offset the paper loss and reported a 5,332,803 DAI profit[3].
- May 14, 2021 08:32 (UTC)
SingleSidedCrvDAI
strategy reports a 4.93 million DAI loss after out-of-order harvest[1]. - 09:42 A user reports an unusual drop in yvDAI vault share price from 1.04323 to 1.03531.
- 10:13 Root cause is identified and the fix is produced[2].
- 10:49 A fixed strategy is deployed[3] and the migration is queued.
- 11:39 Migrate transaction is executed[4] and the share price returns to normal.
As per Yearn's security process document[5], the project does not currently have any established bilateral disclosure agreements. In line with our security policy, no disclosure has therefore been made to third parties prior to to this publication.
- https://ethtx.info/mainnet/0x5558d40c511524b015cd307a134b3358f52326cf39c2c6e61604d5726c64dfdd
- https://github.com/Grandthrax/SingleSidedCurve/commit/f12140f53a92e886bf3246c38cb9e97d2b2550dc
- https://ethtx.info/mainnet/0x66847f4dc80a6b4c32666972a9a68416d802d78b54619503fd0aec358fedb185
- https://etherscan.io/tx/0xc8cf642eaf73e0adadcd629d534ebd4fee795196745e6f217f06f5ea5a1b34fc
- https://github.com/yearn/yearn-security/blob/master/SECURITY.md#yearns-security-process