- PolyYeld Finance’s YELD token has crashed to zero after attackers exploited a vulnerability to mint nearly 4.9 trillion tokens.
- The attack targeted PolyYeld’s Masterchef pool, which contained xYELD tokens.
- Several other yield farming projects on Polygon have suffered similar attacks in recent months.
PolyYeld Finance was exploited today, leading to a price collapse of its native token.
Attacker Exploits PolyYeld Vulnerability
PolyYeld Finance’s native token has collapsed to zero after attackers took advantage of a vulnerability to mint an excess supply of tokens.
The attacker exploited a vulnerability in the PolyYeld Masterchef contract, a type of contract used by yield farms to distribute rewards. The attack targeted a Masterchef pool containing another token called xYELD, which generated passive income for holders by charging fees on each transaction and distributing them as YELD rewards.
In a note shared on Telegram, the PolyYeld team claimed that its Masterchef contract could not support xYELD’s reward distribution system, which allowed the attack to take place. They said:
“[The] xYELD token contains a transfer tax which was added to Masterchef, which unfortunately could not support tokens with transfer taxes.”
The lack of Masterchef support meant attackers could mint free reward tokens by shrinking the value of the xYELD liquidity pool.
The Masterchef contract was invented for distributing rewards for liquidity pool tokens. But more recently, yield farms on Binance Smart Chain and Polygon have started using master contracts for single asset tokens or “transfer fee tokens” like xYELD.
Security firm PeckShield explained that a deflationary token such as xYELD charges a fee on its transfers. With repeated deposits and withdrawals, the xYELD balance was shrunk down maliciously up to 1 WEI, the smallest denomination of 1 Polygon.
A Masterchef contract estimates rewards by dividing the pool value by the value of tokens staked, meaning if the pool value is reduced, it can dramatically inflate the rewards. Xuxian Jiang, founder and CEO of PeckShield, told CryptoBriefing:
“By repeated deposits and withdraws with the MasterChef, the attacker frequently triggers the tax collection. This gradually reduces the xYELD balance of MasterChef to 1 WEI, which led to actual exploitation.”
As the attackers minted 4.9 trillion tokens and sold a portion of them, the market was immediately flooded, leading the price to collapse to zero. According to PolyYeld’s website, the maximum supply was intended to be 62,100 YELD tokens.
Since the attack, the price of YELD has crashed from $25 to $0 in the space of a day. Meanwhile, xYELD is down from $100 to around $7, as per Dex Guru.
In the note posted in the PolyYeld Telegram group, the team asked users to unstake their funds. It added that it was considering a compensation plan and promised a report in the coming days. Meanwhile, the Telegram group remains muted along with other channels of communication.
This is yet another security instance involving Polygon-based yield farms. In recent months, projects such as Iron Finance, PolyWhale, and SafeDollar were targeted in a similar fashion, wherein attackers hyperinflated the token supply and caused a price collapse.
PolyYeld held more than $20 million in total value locked as of last week.