How DeFi struggles to balance governance with deposit safety.
TLDR:
- Between the launch of yVaults on July 25th and August 6th, yearn.finance developer Andre Cronje was in control of $40m of customer funds.
- On August 6th, while discussing an earlier draft of this article with me, he handed the relevant governance rights to the 6-of-9 wallet of community stakeholders that also controls YFI minting.
- Most users are not aware that all governance-heavy protocols like yearn.finance, Compound or Aave are more-or-less custodial.
What is yearn.finance
yearn.finance describes itself as a yield aggregator. I like to think of it as a fund where anyone can invest and then a human manager (or set of managers) directs this capital to the highest-yielding opportunities in DeFi.
Since launching its governance token YFI in mid-July, yearn.finance has exploded in popularity. While the token was lauded for its fair launch and wide distribution, there was a popular misconception that user funds are controlled by YFI token holders or at least a multi-signature wallet that represents their interest.
In practice, governance works like this:
- YFI token holders can vote on new proposals. These votes are informal – when a proposal is approved then yearn.finance’s developer Andre Cronje will go and implement it – compared to, say, Compound, where proposals are implemented first and then activated by a formal vote.
- As of July 21st, 6-of-9 community stakeholders controlled the minting of additional YFI tokens.A Cont
- roller is in charge of all investment decisions and hence customer funds.
The Controller
To understand the way funds are custodied, we need to understand vaults and strategies. Vaults are basically boxes with investor money, and strategies are smart contracts that implement investment strategies such as lending a coin to the highest-APY money market. Anyone can deploy them, but to allocate people’s money, a vault must be connected to a specific strategy.
This connection between the vaults and strategies is made by a central smart contract called the Controller. As of August 6th, the address of the governance in the Controller was Cronje’s address:
We’ll briefly go through the steps of changing a vault’s strategy.
First, you call the setStrategy function:
The function only executes if the msg.sender is set as governor of the Controller.
Changing a strategy first withdraws all funds from the existing strategy and sends them back to the vault:
In the next step, you would call earn on the vault, which calls the Controller’s earn function:
…which proceeds to send the funds to the new strategy.
You can check the Controller for yourself here.
In short, the Controller can set the strategy of every vault as well as change the strategy of already existing vaults.
Potential for theft
This power of the Controller allows for a very simple but powerful exploit. At any time, it could decide to connect vaults to a strategy that drains all user funds. The strategy could be as simple as transferring these funds to an account controlled by the adversary and there would be no warning or reaction period for users.
As usual with admin key attack vectors, the main risk is not necessarily for AC himself to turn malicious, but for this admin key to be stolen by a third party.
On August 6th snapshot, $165m are currently locked in yearn.finance, but most of it was in YFI related curve pools that are not susceptible to governance attacks. $40m was locked into vaults, and this money is exposed to the Controller.
Cronje’s reaction
On August 6th, I discussed an earlier draft of this article with Andre Cronje to confirm that my analysis has been correct. In the course of this discussion, he decided to call setGovernance on the Controller.
With that transaction, he handed control of the vault funds to the community-controlled multi-sig wallet and removed himself as a risk factor.
However, I never intended for Cronje to give up control of the funds. There were good reasons the protocol was set up that way: waiting for 6-of-9 community holders in different time zones adds significant overhead and delay to the operations of the platform. As a result:
- it would be harder to react to bugs, which are common in a complex young protocol.
- it would be harder rapid-prototype new vaults and strategies.
- it would massively hurt yields in a market environment where the correct investment strategy in DeFi changes daily.
Instead, I wanted to educate investors about what trust assumptions go into using a protocol such as yearn.finance.
All governance-heavy protocols are more-or-less custodial
In the hype that DeFi goes through right now, it is easy to forget that the exploit I described here – customer funds that can be drained via governance – is present in many other protocols as well.
For example in Compound, a supermajority of coin holders can vote in arbitrary new logic. While this logic takes 48h to activate, it is unlikely that all $800m would be withdrawn in time. It is very difficult for protocols reliant on active management to balance the necessary governance rights with the security of customer funds.
A protocol like yearn.finance that relies on rapidly adapting to market conditions will likely always fall on the side of needing more control at the expense of deposit security. As a result, users should stop looking at it as a non-custodial system but instead as an actively managed fund where the controller is the fund manager. Previously, that was Andre Cronje, today it is the 6-of-9 multi-sig.
The more governance exists in a system, the more likely it is to be captured. Secure DeFi systems of the future should be designed with minimal governance levers in play in order to be maximally secure and minimally rent-seeking.
AUTHOR(S)
THANKS TO
Thank you to a co-writer co-writer who would like to stay anonymous. Thank you to Andre Cronje, Su Zhu, and John Adler for their comments