Categories: News

Finance Redefined: DeFi gets its first merger after a devastating hack, Nov. 18–25

Pickle Finance got hacked so badly on Saturday that its developers asked to be merged into Yearn.

Finance Redefined is Cointelegraph’s weekly DeFi-centric newsletter, delivered to subscribers every Wednesday.

On Saturday, we saw one of the most complex smart contract hacks yet affecting Pickle Finance, a yield optimization protocol very similar to Yearn — an important point for later.

PeckShield provided a technical explanation for it, but I think only Solidity developers can really understand it.

The high-level take is that the hacker found two textbook examples of code vulnerabilities in the “pickle jars” — the protocol’s term for yield strategy contracts. One was failure to check if the jar is actually supported, which resulted in the hacker deploying an “evil jar” that the system believed to be legitimate. The other flaw was a “remote” code execution vulnerability that allowed the hacker’s contract to call functions as if it were the Pickle administrator contract.

The hacker basically just instructed the smart contract to give them all the money it held. The loot is the entirety of the affected Dai jar, worth about $20 million.

A few developers including Banteg, a core Yearn team member, assisted the Pickle team in triaging the vulnerability. Not that there was much that could be done — the money was gone, and this hacker was not so gracious as to return money to “nurses” affected by the hack.

This was perhaps the first high-profile usage of DeFi insurance. Cover Protocol, which provided some Pickle users with coverage in case of disastrous events like this, paid out $320,000 worth of claims in full after a five-day deliberation.

The first merger, or should we say vassalization?

Fast forward to Tuesday, when Andre Cronje, Yearn’s founder, publishes a plan of how Pickle Finance and Yearn will now have a “symbiotic relationship.”

In essence, Pickle’s yield-farming strategies are going to become Yearn’s. Its developers will publish them on the Yearn platform and earn the 10% performance fee reward, just like any other strategy developer. In general, the Pickle team will benefit from the Yearn team’s technical expertise.

For Yearn users, this symbiosis brings with it some monetary and governance benefits. They will be able to put their vault tokens — which represent their share of a yield-farming strategy fund — into a Pickle gauge. In doing so, they will earn DILL, Pickle’s newly established voting token. Further rewards coming from Pickle are also planned, while users affected by the hack will eventually be reimbursed through a scheme involving another token called CORNICHON.

If any of you ever played Crusader Kings 2 (a strategy game where you lead a state in the Middle Ages), this seems quite similar to the strategy of willingly becoming some large empire’s vassal to receive protection from a bigger enemy.

The two ecosystems will be effectively merged, with Yearn users receiving a stake in Pickle but not the other way around. Nonetheless, some Yearn community members expressed dissent over what seems like a unilateral decision by the development team to absorb another protocol.

On the face of it, this would look like the exact type of thing token holders should have a say in. In response, another Yearn core member, Tracheopteryx, raised an important point about the process: There is (almost) no action required from Yearn.

Vaults are already permissionless, so the Pickle team could’ve developed strategies on Yearn at any point. The additional tokens and gauges are all going to be implemented on Pickle’s side — again, they could’ve done it themselves earlier.

I would still expect this to at least subtract some resources from Yearn for integration and auditing, but the holders did delegate major operational decisions to the core team in an earlier vote.

The ease of the merger is a powerful testament to the composability and freedom of DeFi, perhaps the “good example” when compared to SushiSwap’s birth as a Uniswap parasite. But we should also be aware of the power dynamics of it all — I wouldn’t want DeFi to look like my Crusader Kings games.