- A DeFi trader took home 747 ETH in a single trade last week.
- They had exploited a DeFi smart contract.
- They quit their job.
A week after turning $200 into $290,000 with the click of a button, the DeFi user behind the coup came clean. “I am the malicious actor who pulled the rug on innocent chads,” tweeted a pseudonymous trader named Amplify.
A “chad”, if you’re wondering, is a powerful man who effortlessly sleeps with lots of women. In this case, Amplify drew power from effortlessly exploiting a bug in a derivative of $YFI, the governance token that powers the yearn.finance DeFi protocol. Or as Amplify put it: “Accidentally pulled the rug on thousands of people by exploiting a bug I didn’t know existed.”
The project Amplify claims to have ripped off is called Soft Yearn Finance (SYFI), whose sole purpose is to track the price of $YFI. $SYFI has a “rebase” mechanism, meaning that its protocol resets the price every time it deviates from $YFI. It achieves this by destroying or minting tokens from the balances of its holders.
On September 3, $SYFI’s rebase function messed up. Amplify reported the play-by-play via tweet: “So there I am 2 minutes before Rebase with my 2 $SYFI I bought for $100 each, waiting for my key to this aforementioned citadel of confusion.”
They then looked at Uniswap, a decentralized exchange that supports $SYFI trading, when they noted, “2 $SYFI turns into 15,551, and subsequently the price quote for these tokens being over 740ETH.” 740 ETH was about $250,000 at the time of Amplify’s transaction and has since gone higher.
Amplify’s first thought: “This is a UI bug, it’s going to bait me into sending a transaction I know will fail because of insufficient output amount.” Amplify’s second thought: Okay, fine. If it doesn’t work, they’d just lose “$20-$50 of fees.”
It worked. That transaction giveth to Amplify, but taketh away from everyone else. The project has since collapsed.
Amplify, who said they worked a minimum-wage job at the time, clarified that they didn’t mean to do anything malicious: “I saw an opportunity, or trade if you will, and I took it.” If Amplify didn’t exploit it, someone else would have.
Not that there’s much guilt. Amplify told Decrypt: “It seemed clear from the beginning that the community for SYFI was there simply to make money.” In a community full of traders, it’s reasonable to assume no one did much due diligence on the team or their credibility.
“People still rightfully believe the devs failed to audit their code and produced a buggy product. It’s no one’s fault but their own,” Amplify told Decrypt.
Amplify said that they have a bounty over their head and that friends are worried about their safety. Amplify sent one friend a “finder’s fee” for introducing them to SYFI. “So his address was clearly implicated in the ‘crime’ at the time,” they said.
Now much richer, life has changed for Amplify. They quit their day job and said they have given about $10,000 to a Gitcoin grant.
“I’ve worked a minimum wage job most of my life,” they told Decrypt. “If I can intelligently apply this wealth properly I can ensure my family will not struggle for basic needs, like a running car.” Most of the money, though, is going straight back into YFI vaults—the actual YFI, this time.
But their pledge of innocence remains. “I did not know this bug in $SYFI existed. I simply pressed a button because I saw something unbelievable on the other side,” they tweeted.