--- title: Postmortem Incident 8 --- # A bug in the uXTZ/XTZ LP token yyXTZ Date: 2023-09-28 Authors: Markus, Florin Status: ongoing ### Summary: The liquidity token contract of the recently deployed new uXTZ/XTZ contract, the yyXTZ token contract, has a bug. As a result, yyXTZ tokens which are deposited into smart contracts can get locked. This happened when a user created a Quipuswap pool with yyXTZ and uXTZ, resulting in currently locked tokens on that contract (see details below). The youves core contributors are already working on a solution and there will be a way to recover these locked funds, which we will explain at a later stage. For now it is important for you to not send yyXTZ to a smart contract. Holding it in your wallet, sending it to another tz1.... address is not a problem. Leaving liquidity in the uXTZ/XTZ pool is also not a problem. Youves core contributors will soon deploy a new contract for uXTZ/XTZ with a fixed LP token contract, which will replace the current contract and submit a YIP to rewire the interest rate payments to this new pool. Then we will ask you to withdraw your liquidity from the youves uXTZ/XTZ pool. After that, recovery of the currently locked funds will be prepared, details will follow. ### Detection: On Wednesday September 27, 2023 - 14:35 CET, a 3route contributor reached out a to youves contributor pointing out that any trades from uXTZ to yyXTZ will fail on the new Quipuswap pool and gave a hint to what the problem could be. ### Root causes: An existing bug in the LP token contract of uXTZ/XTZ, yyXTZ, with the address `KT1NtfNBPAo8UrcMexMyrKR5WCHb3VRiocvx`: For all transfer operations of the yyXTZ token, an approval of the transferring address needs to be requested from the yyXTZ token contract by calling the `approval` entrypoint. Most wallets like Temple request this approval by default when creating a transfer operation. So transferring it from a Tezos user wallet (tz1....) would just work because a user can always ask for approval for the yyXTZ token his own address is holding. The problem starts when a Tezos smart contract is trying to send the yyXTZ token: The smart contract would also need to request approval by calling the approval entrypoint on the yyXTZ token contract. A smart contract that is not prepared to do so, will not be able to move the yyXTZ. ### Trigger: The said bug already existed in the ligo template ([repo here](https://packages.ligolang.org/package/ligo-fa1.2)) used for the yyXTZ token. The bug was even discovered during testing shortly before the flat curve and LP token contracts were deployed on mainnet. But then, the full impact was not understood and it was assumed that it would always be possible to get allowance - which in hindsight was obviously not the case. ### Impact: On September 24, 2023 09:06 am, a user created a new pool with the token pair yyXTZ and uXTZ on Quipuswap (`KT1VVLLnLLZEwewB6g8fj7BMDsnsaU72Vatx`). A pool contract was instantiated and the user deposited yyXTZ and uXTZ as liquidity to the contract. But as the Quipuswap contract can not transfer the yyXTZ, it is 1.) not possible to swap uXTZ for yyXTZ and even worse, 2.) it is not possible to remove the liquidity again. So currently, these yyXTZ tokens are locked inside the Quipuswap contract. ### Resolution: Youves contributors are currently working on a solution, which comprises of two steps: 1. Deploy a new youves uXTZ/XTZ contract and it's LP token contract with a new one that has a fixed LP token contract. Redirect the interest rate payments to the new pool. Make everyone move their liquidity to the new pool. 2. Recover the funds which are locked in the Quipuswap pool, respectively in the youves uXTZ/XTZ pool due to the locked yyXTZ tokens in Quipuswap. Youves contributors already identified a solution to do that, which includes controlled drainage of the faulty uUXTZ/XTZ pool. We will explain this in detail later. But it includes setting the trading fees of the uXTZ/XTZ pool to 0%, which has to be done in the same YIP as the one needed to redirect the interest rate (see point 1.) ### Action Items: What steps were done to fix or mitigate the problem? Where are we at, currently? | Action Item | Type | Owner | State | | -------- | -------- | -------- |-------- | | Alert contributors, Identfiy reason for failure | mitigate | Markus, Florin, Ale |DONE | | Inform community to not deposit yyXTZ into smart contracts | mitigate | Markus |DONE | | reach out to Quipuswap to pause the contract and remove the pool from the Quipuswap frontend | mitigate | Markus |DONE | | Deploy a flat curve and fixed LP token contract to ghostnet | mitigate | florin |DONE | | Test new flat curve and fixed LP token contract on ghostnet | mitigate | Markus |Ongoing | | Deploy a flat curve and fixed LP token contract to mainnet | mitigate | florin |OPEN | | Rewire tez collateral engines to send interest rate to new pool, set trading fees on old pool to 0% | mitigate | YIP | OPEN | | Develop and test migration contract | mitigate | Florin | OPEN | | Execute migration contract | mitigate | Youves keyholders, Florin | OPEN | | Distribute recovered funds those entitled for recovery | mitigate | Youves Operations Multisig: Florin, Ale, Markus | OPEN | ### Timeline: What was the exact timeline of the relevant events/actions? (all times CET) 2023-09-24 09:06 User deploys a new yyXTZ/uXTZ contract on Quipuswap and deposits funds 2023-09-27 14:35 3Route contributor notifies youves contributors via Telegram 2023-09-27 18:35 Message is acknowledged, investigations start 2023-09-27 19:05 Root cause confirmed, research for solutions, affected users are informed 2023-09-28 09:15 Solutions are defined, development starts ## Lessons Learned ### What went well Alerting was fast once the message was received. Cooperation between DeFi groups (youves, 3Route, Quipuswap) on Tezos is remarkable. Affected users were immediately contacted. ### What went wrong Even though the bug, which existed in the ligo template, was discovered during the last testing round before mainnet deployment, its impact was highly underestimated and the affected LP token contract was still deployed. ### Where we got lucky Again we are thankful for our community of users and for the tightly knit community in Tezos DeFi where people help each other. We got also lucky that the network of contracts for youves are solid and flexible in the same time, which will allow us to recover the funds, using the DAO and the youves keyholders, which are admins of the uXTZ token contract. We are confident to be able to recover the locked tokens. ### Conclusion Once again, we had to learn that any allegedly small issue absolutely needs to be addressed and may not be postponed to be resolved only because the impact is deemed to be irrelevant. We will adjust our processes in order to avoid any similar situations in the future. Again, be assured that all youves synthetic assets, all other flat curve contracts and all farm contracts are not affected by this bug. Only the yyXTZ LP token contract has this issue.