Yield optimizers’ incident reports on Venus— in layman terms
It seems most yield optimizers published incident reports (and some accused each other) for the Venus issue their encountered, but no one explained what really happened in layman terms.
Let me do that, so everyone can understand.
Yield optimizers and leveraging
Yield optimizers are using strategies which supply one asset, borrow more of the same asset, supply again, borrow again..
With those actions, they manage to get high APR for their users.
Beside auto-compounding, the above mentioned leverage tactic is one of yield optimizers’ greatest strengths.
However that can also be their biggest weakness, if their strategies are bad. That is exactly what happened with Autofarm.
Autofarm’s issue on Venus
I read their post-mortem, and I noticed that intentionally or unintentionally they left out the main details. Let me try to explain what exactly caused all this.
Autofarm’s strategies are ineffective.
When a user withdraws a small amount from autofarm’s venus vaults, autofarm’s strategy withdraws the whole amount of their Vault and re-deposits it again.
Venus’ 0.01% fee is small and insignificant, but when applied multiple times on $40m - it is huge.
Here is an example:
- Someone withdraws $60 from autofarm’s venus vault. Instead of withdrawing just enough to cover that withdrawal, autofarm’s strategy withdraws their whole vault (~$40,000,000) from Venus, and re-deposits it again.
That is called unnecessary leveraging, unnecessary risk, or it can also be called volume washing, as mentioned in the chat/picture below:
With that strategy autofarm was losing $4000 of users’ money on each withdrawal, as shown in the picture below:
And that happened over and over, which resulted with huge losses for their users.
Here is what happened in a short span of 20 minutes (the numbers in yellow are the so called “leaked funds”):
In 20minutes around $50,000 were lost only from autofarm’s USDT and USDC vaults.
I don’t have an exact final number since this leak is still on-going, but seeing that Venus’ treasury got $15 million in it atm, it means the damage autofarm caused to its users is millions.
Beefy’s vaults and reaction
Beefy is basically building on top of autofarm’s venus vaults.
They are using autofarm’s yield to create bigger APRs, which basically means beefy is dependent on autofarm.
After reading beefy’s incident report, I noticed that beefy just attacked autofarm and belt as the only culprits.
This is not right. If you decide to build on top of some other project, it means you are vouching for them and taking part of the risk.
If you are not sure that the project you are building on is safe/secure, it means you are hiding important information from your users and you are directly exposing your users to risk without telling them.
The second part in beefy’s incident report which stands out - is how they praise themselves for acting solo during this incident, without reaching out to autofarm.
Building on top of someone’s project means you are dependent and vouching for them at the same time, and you must have a direct line of communication with them.
If you do not do the above, it means you are not taking the necessary steps to protect your users and you are exposing your users to direct risk.
This is the second time beefy decided to attack autofarm, the first time was around 2 months ago, in this earlier beefy’s incident report as shown in the picture below.
A friendly advice: Instead of always trying to find someone to blame, work on creating better strategies and improve your project-to-project and project-to-user communication.
Belt also had similar issues. According to their incident report, they were losing users funds “due to the extremely high utilization of Venus Protocol’s asset lending.” In layman terms - they were losing funds because their strategies were ineffective, similarly to autofarm’s.
At first, they partly acknowledged this, and instructed users to move to their 4belt v2 pools, as shown in the pictures below.
However, their 4Belt pool was also not working.
Users were not able to withdraw, while their LPs were burned.
ACryptoS’ functional Venus Vaults
During this time, ACryptoS’ Venus Vault were the only vaults which were not losing funds and kept generating yield for its users.
This is due to ACryptoS’ effective Venus strategy, which withdraws only the necessary amounts from Venus.
For example - if a user withdraws $1000, ACryptoS strategy will withdraw just enough to cover that user’s withdrawal.
That means the fee of 0.01% will be insignificant and there will be no loss of funds for the users.
The only necessary change in ACryptoS was a strategy patch, since their current strategy was coded to prevent any malicious actions (such as unplanned fees being applied on the withdrawn amount).
All dev actions in ACryptoS are behind a 48h timelock, which means their strategy upgrade was coming in 48h. All venus related withdrawals were paused for those 48h, while the Venus Vaults were operating normally and were still generating yield for the ACryptoS users.
ACryptoS’ Venus Vaults are fully operational at this time.
Venus is not the one to blame here, since they announced these changes earlier, as explained in their letter to the BSC community.
They previously announced this fee in multiple ways, as it can be seen in the picture below.
Some friendly advices to yield optimizers:
- Focus on safety
- Build on top of safe projects. If you build on top of a project, you are basically vouching for them
- Do not blame others for the risks you decide to take
- Communicate with other projects
- Communicate with your users in layman terms
Some friendly advices to users:
- If an announcement/article you read seems to be too technical, ask for direct (layman terms) clarifications from the project you are in
- Always do your own research
- Manage your risk and choose projects carefully
- Read this article on Sustainability, Longevity and Safety