CVC Statements for Claim filed on 02/04/2021 for Yearn Finance

There was a claim submitted on Cover Protocol for Yearn Finance on 02/04/2021 here.

A Snapshot proposal is created here

Claim Guidelines can be found here.

This post is used for Cover Protocol Claim Validity Committee to post their statements on their decisions and findings.

Please do NOT comment if you are not a CVC member.

Statement format:

CVC member name: Pumpkin Auditing Firm
CVC member link: pumpkinauditing.com
Decision: Valid claim
Payout Percentage: x% (up to 100%)
Investigation: evidence/links to back up the decision and payout.

Incident Details
One of the relevant exploit transactions for the claim filed is: Ethereum Transaction Hash (Txhash) Details | Etherscan

At 9:49:07 PM UTC on February 4th, 2021, a transaction was performed that resulted in a realized loss of ~$11,000,000 of user funds in Yearn Finance. A claim was filed for a payout to COVER_YEARN_2021_02_28_DAI coverage token holders.

Here are a few tweets explaining more details.

CVC member name: Defi Yield
CVC member link: Website / Twitter
Decision: Valid claim
Payout Percentage: 36%
Investigation: Based on information from my investigation of this incident - link, I can confirm that this claim is valid.

CVC member name: PeckShield
CVC member link: www.PeckShield.com
Decision: Valid claim
Payout Percentage: 36%
Investigation: Here is an article we published about this incident:
The yDAI Incident Analysis: Forced Investment | by PeckShield | Feb, 2021 | Medium

CVC member name: Hacken
CVC member link: hacken.io
Decision: Valid claim
Payout Percentage: 36%
Investigation: Based on the given claims guidelines and review of Yearns Post Mortem we believe this claim is valid. yearn-security/2021-02-04.md at master · iearn-finance/yearn-security · GitHub

CVC member name: Weeb Mcgee
CVC member link: weeb (@Weeb_Mcgee) / Twitter
Decision: Valid claim
Payout Percentage: 36%
Investigation: Based on the below investigation, I believe this claim should be accepted on the basis that this was an exploit by a 3rd party using flash loans to abuse the smart contract. The resulting behavior was not expected nor intended by the protocol or the users.

Post mortem: yearn-security/2021-02-04.md at master · iearn-finance/yearn-security (github.com)

CVC member name: The Arcadia Group
CVC member link: arcadia.agency
Decision: Valid claim
Payout Percentage: 36%
Investigation: Based upon Yearns Post Mortem we believe this claim is valid. yearn-security/2021-02-04.md at master · iearn-finance/yearn-security · GitHub .

Aside: We would like to propose for consideration a potential review of the claims guidelines to better support situations where losses are greater than the aggregate pool size. With the thought process, that the losses in situations like this will always be greater than the pool size. Under current guidance, a partial payment proportional to the amount lost (in this case 36%) is what’s expected. Unfortunately, it may be insufficient as 36% of a $409K pool doesn’t really help an $11m pool loss. There are definitely issues with awarding the entire pool, but there may be an unconsidered middle ground worth reviewing.

edit: mixed up two claim numbers and have corrected