Links

Yearn yDAI hack (05/02/2021)

Claim Event #3: Yearn yDAI hack (05/02/2021)

There is a full post-mortem of this loss event and the claim payouts in the Paying claims for the Yearn hack Medium post. Claim 93 is not reflected in the post-mortem, as it was filed in May 2021. That claim is included in the review below.
For a recap of the Yearn yDAI vault hack, you can read Yearn’s Vulnerability disclosure 2021-02-04.

Total Claim Payouts

A total of 1351 ETH and 132,160 DAI ($2,412,999.26) was paid out to Yearn Finance Smart Contract Cover Holders. Smart Contract Cover has since been deprecated and been replaced by Protocol Cover, a more comprehensive cover product that protects against more risks in DeFi.

Overview

After this exploit occurred, Claims Assessors discussed this loss event in the mutual's Discord server. Because Nexus Mutual is a discretionary mutual, members participate in the Claims Assessment process and review the validity of claims submitted after a loss event occurs.
Members reviewed the information available after the hack occurred and the consensus was that this was a covered event, as it met the conditions outlined in the existing cover wording at the time of the hack.
Smart Contract Cover wording v1.3, the cover wording active at the time of the Yearn yDAI v1 hack
The Yearn development team worked with the mutual to provide members with a complete list of impacted addresses for Claims Assessors to refer to when checking the proof of loss requirement during the claims voting process.

Filed Claims and Outcomes

A total of eighteen (18) claims were filed and voted on by Claims Assessors. As stated in the section above, Claims Assessors had determined this was a covered event. Once it has been determined that an event is covered, Claims Assessors review the validity of claims to determine:
  • Did the Cover Holder have active cover at the time of the exploit?
  • Did the Cover Holder have a cover with an ID lower than lower than #2291?
    • The Proof of Loss requirement was implemented for cover IDs higher than #2291. Any Cover IDs lower than #2291 were not subject to the Proof of Loss requirement.
  • Did the Cover Holder have a cover with an ID higher than #2291?
    • If so, then Proof of Loss was required for a claim to be approved.
    • If Proof of Loss was provided, then Cover Holders were required to demonstrate a material loss of at least 20% of the cover amount.
Total list of filed claims in relation to the yDAI vault hack

Proof of loss

Members voted and approved Proposal 109: Include Proof of Loss in Smart Contract Cover Wording. After this proposal was passed, members introduced Proof of Loss in October 2020 which means that cover ID#2291 and above require proof of material loss per a signed message from the impacted address at the time of claiming. Claimants must demonstrate a material loss of at least 20% of the cover amount.

Approved Claims

Claims Assessors reviewed and approved Claims 72–75, 77–84, 86–87, and 93. Of the 15 claims that were approved, none required Proof of Loss, as these cover policies had IDs lower than #2291. As Proof of Loss was not required, Cover Holders could submit a claim regardless of whether or not they experienced a loss of funds due to the yDAI vault hack.
Claim 72
Claim 73
Claim 74
Claim 75
Claim 77
Claim 78
Claim 79
Claim 80
Claim 81
Claim 82
Claim 83
Claim 79
Claim 86
Claim 87
Claim 93

Denied Claims

Claims Assessors reviewed and denied Claims 76, 85, and 88.
Claim 76 [Cover ID #2929]. The address provided as Proof of Loss was not among the affected addresses and was not impacted by the yDAI vault hack. Claims Assessors voted to deny this claim as no loss of funds occurred due to the hack.
Claim 85 [Cover ID #2458]. The address provided as Proof of Loss was among the affected address but did not incur a loss of funds that met the 20% or greater criteria as specified in the cover wording. Given this, Claims Assessors voted to deny this claim.
Claim 88 [Cover ID #641]. This Claim did not require Proof of Loss, but Claims Assessors voted to deny. It’s unknown the complete rationale for the denial of this claim, but Hugh speculated that “...I suspect voters took the view that there was no loss in this case but I can see arguments on both sides here. The claimant may resubmit one more time if they wish though. If they do so, I would encourage them to put forward arguments in this channel and as part of the claim submission.”
Due to a minor bug in the Nexus contracts at the time, the Cover Holder who filed Claim 88 was not able to resubmit their claim again until May 2021. When the Cover Holder of Cover ID #641 resubmitted their claim (i.e., Claim 93), their resubmission was approved because their claim did not require Proof of Loss. Cover Holders can submit a claim up to two times if the first submission is denied. In this case, Claims Assessors determined that the original decision was incorrect and approved this claim.

yDAI Vault Restored

Tweet from the Yearn Finance account indicating that the protocol had compensated users for the loss of funds.
The Yearn team replenished the vault which reimbursed all users who suffered loss. At this point there were two claims which required proof of loss that had already been denied for other reasons. These were:
  • Claim 76, which was submitted without valid Proof of Loss; and
  • Claim 85, which was submitted with a loss of <20% of the cover amount.