Andre Cronje’s New Project Gets Hacked, YFI Falls

Andre Cronje’s latest project, Eminence, got hacked hours after the token contract was published and hyped.

“Yesterday we finished the concept behind our new economy for a gaming multiverse. Eminence. As per my usual methodology, I deployed our staging contracts on ETH so we can continue developing on it. Eminence is at least ~3+ weeks still away,” Cronje said before further adding:

“Yesterday alone you will notice I deployed 2 separate batches of the contracts, this is my usual ‘test in prod’ process. We started releasing some of the art teasers to showcase all the different clans in the game on twitter.”

Those art teasers then got picked up by others who, based on Cronje’s achievements with YFI, went on to say:

Gaming Non-Fungable Tokens (NFT) are nothing new, but Cronje has been jumping from project to project to maintain momentum, so these were to be Cronje gaming NFTs, which are new. However, Cronje says:

“Around ~3AM I was messaged awake to find out a) almost 15m was deposited into the contracts b) the contracts were exploited for the full 15m and c) 8m was sent to my yearn: deployer account.

The exploit itself was a very simple one, mint a lot of EMN at the tight curve, burn the EMN for one of the other currencies, sell the currency for EMN.”

Hacked contracts are also nothing new, but this is becoming a pattern of sorts. First, Cronje’s Y Curve pool was unknowingly to him underpricing DAI. He discovered his own bug after launching yETH which had to be closed down because of this DAI underpricing.

Then a simple earn() trigger “could manipulate the share price, allowing you to buy the dip” in one of his vaults with that also discovered after people reported losing money just days ago.

This EMN however seems to have gone quite a bit more wrong as people rushed to buy it after some ‘influencers’ hyped it, while the hacker rushed to mint such EMN tokens at will to sell them to the hypies.

The hacker got some $15 million from it, but he returned $8 million in what must be an unspoken negotiation of sorts in that they thought they lost it all, but it’s now only half.

All this hasn’t been great news for YFI which was thinking about recovering, but now has lost about 10%.

Nor is it great news for the ecosystem’s ability to enforce the simplest rule of them all: you must have an audit.

A silly game can easily wait weeks or months, with it people’s money on the line and thus so requiring extreme care, not just great care but extreme care.

An audit obviously isn’t some sort of certificate of unhackability. It’s merely a certificate of: we’ve done everything we can and even these experts couldn’t find anything, but these experts are nothing to the Nakamotos around the world so still be mindful of the risks.

Whether the audits would have found this “simple” bug is not clear, but if it is so simple then it’s not clear whether they doing their job if they did not find it.

Regardless, it’s not clear what was the urgency to get out this contract besides the simple desire to hype the best next thing which they thought is some gaming token.