On November 3rd, 2021, we were alerted via Discord about potential malicious actions toward other projects, perpetrated by Jason / punk1004, one of the developers who has done work for YAM. Upon hearing this and receiving evidence from the accusing parties, several members of the YAM core team began doing research into the matter.

Internal Investigation

After doing further research, we have come to the conclusion that YAM should no longer compensate or accept contributions from this individual or allow them to hold any position or power or authority within the DAO.

Below are our conclusions from this research:

1. There are multiple connections between the contributor’s public wallets and the exploiting (bad actor) wallets.
2. There are multiple connections between the contributor’s public github account and the second github account that was used to do work on these other projects that had funds stolen from them.
3. There are connections between the contributor’s github account and Ethereum wallets to other github accounts and other Ethereum wallets that have worked on, deployed, or been the recipient of funds from projects that many would consider to be scams, or at the very least, suspicious.
4. There is circumstantial evidence including chats and a voice recording that seem to match characteristics of the contributor.
5. The distinction of whether this contributor was personally responsible for these actions or unwittingly caught up in the actions of other individuals ultimately does not matter. Their involvement shows extremely bad judgement and is a serious security risk for YAM.

Actions

We have removed all access that Jason / punk1004 has to the YAM github, any discord admin privileges and all other access to potentially sensitive information.

By coincidence, this individual’s vesting stream had ended and was under review for renewal. The YAM HR group strongly recommends against renewing it. Of course, owning YAM and voting on YAM governance is permissionless, so these are not actions that we can prevent.

As contributor compensation is retroactive for previous work completed for the DAO, there is a question of whether Jason / punk1004 should be compensated for his work for Yam from the past month. The team feels that this is a decision which the entire DAO should make via governance and a snapshot vote will be forthcoming. We will also vote on whether this individual should be allowed to remain in the Yam Discord.

Final Thoughts

We want to be clear, the YAM protocol has not been attacked or exploited by this individual or others. This individual had limited access to our github repos and core smart contracts. They did not work on any of YAM’s smart contracts and our development process involves peer review before any new code is merged into the codebase. Our development team closely checks each block of code that is being worked on prior to deploying it safely.

We will continue to work using industry best practices for peer review and security in all work that we do. These events show that our development practices work to allow a varied set of contributors to work on our code base without added security risks, and we will continue to iterate and develop our security practices.