Value DeFi

Basics

• Aka YFV Value DeFi
• Based in:
• Announced on:
• Mainnet release:
• Got exploited three times, two of which in the same week (8-5-2021).

History

Audits & Exploits

• Bug bounty program can be found [insert here].

• Scored a 55% on DeFi Safety (11-2020);

"Value DeFi was audited 8 times, incrementally by 3 groups. This is an excellent process. Some observations; most of the audits (with the exception of Peckshield) do not deal with the complex financials that ValueDeFi uses. While the audits add value, more analysis seems needed. Only one audit mentions the implementation of fixes. This would add value also. As per our process, the 100% score stays.

Value Defi was first deployed September 22nd, 2020.

The Arcadia Group did an audit on November 4th, 2020.

The Arcadia Group did an audit on August 29, 2020.

The Arcadia Group did an audit on September 1st, 2020.

Pessimistic did an audit on September 11th, 2020.

The Acadia Group did an audit on September 18th, 2020.

The Acadia Group did an audit on October 20th, 2020.

Peckshield did an audit on November 29th, 2020.

The Acadia Group did an audit on November 4th, 2020."

With the extra comment: "It went from 8% to 55%. An improvement, but still very little testing or software docs.  They have plenty of good audits, but their scope is limited (except the one from Peckshield)."

Bugs/Exploits

• Got hacked for roughly $6 million but the hacker returned (16-11-2020) $95,000 in DAI stablecoins after reading some sad messages left for him in Ethereum transactions. From Decrypt (16-11-2020):

"In his reply, the hacker noted that “there are so many people who lack knowledge and caution, and sooner or later those money will be lost,” but nonetheless sent the user 50,000 DAI a few moments later. The hacker then transferred 45,000 DAI to a user claiming to be a student who lost $200,000 of his family’s life savings in the hope of getting a high-yield return. As Decrypt reported on Saturday, the hacker seemingly used a flash loan attack to siphon money from Value DeFi. 

Value DeFi has also reached out to the hacker via a private note in a transaction, offering him to keep $1 million as a bug bounty and asking to return the rest."

• From Rekt (14-11-2020):

"Despite their bold claims of security [it claimed to have flash loan attack prevention, fake-token attack prevention and re-entrence attack prevention], it appears the Value DeFi team didn’t know that withdrawals could be made not only through the main Bank contract, but also from the Vault contract through Proxy. The exploit came at a particularly bad time for Value DeFi, just 20 minutes before they were due to start an AMA."

• From Rekt (6-5-2021):

"Back then we learned that Value DeFi did not really know flash loan. Now they have lost another $10,000,000, and we find out that Value DeFi do not really know copy paste either, as they report the exploit was made possible due to losing a line of code by “human error”. The actions can be verified on-chain here.

The affected pool contract had an initialize() function that should have been activated after deployment. The line: initialized = true; is missing from the function.

This meant anyone could re-initialize the pool and set themself as owner, thereby taking full control. As owner, the exploiter used the governanceRecoverUnsupported(), which is used for recovering pool funds in the event of a bug or undesired event.

During set up of the profit-sharing vStake pool, the code was not written from scratch but migrated from the old implementation of the Value DeFi Reserve Fund, which had the correct setting. When merging the code, the line was not included."

• From Rekt (8-5-2021):

The “co-founder” was a paid actress, the code was copied and used incorrectly, and as a result, Value DeFi has been absolutely taken down. Is this the third and final time, or will the apes continue to forgive and forget? Approximately $11 million was stolen from the vSwap AMM vSwap pools. Any pool which did not have its liquidity split 50/50 between assets was exploited. The Value DeFi team were reassuring users of the safety of their platform only hours before the latest exploit, tweeting about increased security measures which clearly had zero impact.

Governance

DAO

Treasury

Token

Launch

Token allocation

Utility

Token Details

Stablecoin

Coin Distribution

Technology

• Whitepaper can be found [insert here].
• Code can be viewed [insert here].
• Built on:

How it works

Fee Mechanisms

Upgrades

Staking

Liquidity Mining

Scaling

Different Implementations

Interoperability

Other Details

Oracle Method

• From Decrypt (19-11-2020):

"Value DeFi, that last Saturday lost $6 million after someone exploited a vulnerability with its unaudited, centralized price oracle, today integrated Chainlink."

Privacy Method

Compliance

Their Other Projects

Roadmap

• Can be found [Insert link here].

Usage

Projects that use or built on it

Competition

Pros and Cons

Pros

Cons

• Claimed to have flash loan attack prevention, fake-token attack prevention and re-entrence attack prevention, and then it got exploited by a flash loan (14-11-2020).

Team, Funding, Partnerships, etc.

Team

• Full team can be found [here].
• The “co-founder” was a paid actress (8-5-2021):

"The girl we caption as our co-founder in that video is actually just a paid actress, but one of our devs happened to go by that online alias, so then we coincidentally tracked down an actress by that same name on Fiverr to feature in our video!"

Funding

Partners