Here is the gist of what happened with Curve Finance this week.
On July 30, Curve Finance experienced a hack due to a vulnerability in Vyper. This is the programming language used in certain aspects of their system. Due to certain smart contracts running different versions of Vyper, an attacker exploited certain pools in Curve protocol.
Hackers stole around $60 million, causing a ripple effect throughout the crypto sector and raising questions about the strength of the decentralized finance ecosystem.
Robert Chen, a Whitehat engineer who worked on the viper recovery, has created a timeline report, that explains the events.
Curve is one of the largest decentralized exchanges (DEX) today, with about $1.7 billion in total value locked (TVL), according to data on DeFi TVL aggregator DeFiLlama. Therefore, the hack was limited to about 4% of the TVL. Still, it shouldn’t have happened.
The ramifications could be severe as we note below.
1. A liquidation crisis has been averted
Michael Egorov, the founder of Curve, has high-stake debt positions in several staking protocols such as Aave, Frax, Abracadabra, Inverse, etc with a majority of it locked into Aave. He has close to 365 million CRV valued at $211 million according to blockchain analytics site DeBank.
A sudden decline in CRV’s price led to some concerns on his ability to back these loans. If CRV trades below $0.37, his position of 250 million CRV gets liquidated. CRV is currently trading at $0.57.
Given major centralized and decentralized exchanges do not have high circulating liquidity, if CRV collapses, Aave is left with bad debt. To avert this collapse, many individuals and companies did over-the-counter (OTC) deals at a discount this week to keep CRV’s price afloat.
Blockchain data from Tuesday shows Justin Sun of Tron purchased about 5 million $CRV from a wallet tagged ‘Curve.fi Founder’ at an average price of $0.4 in an over-the-counter transaction. Several other DeFi players stepped in to pick up discounted $CRV tokens via OTC trading shortly after Sun’s purchases.
Crypto investor Jeffrey Huang, known online as Machi Big Brother, bought 3.75 million tokens, while crypto fund DWF Labs and DeFi protocol bought 2.5 million CRV each.
2. Looming interest rate risks on LPs
On Frax Finance, Egorov currently has 38 million CRV supplied against 9.1 million FRAX of debt.
Though this is comparatively lower CRV collateral and stablecoin debt than his Aave position, it poses a larger risk to CRV due to Fraxlend’s Time-Weighted Variable Interest Rate. According to Delphi Digital, at 100% utilization, which it is currently at, the interest rate will double every 12 hours. The current interest rate is 81.2%, but can be expected to increase to nearly 10,000% APY after just 3.5 days.
Egorov has attempted to lower his debt and the utilization rate twice, repaying a total of 4 million FRAX this week while the liquidity providers have rushed to remove liquidity as soon as he pays.
These implications pose a greater risk for CRV and could lead the token to tank, having knock off effects to other lending defi protocols.
3. DeFi hacks are a commonplace
This hack is neither new nor was it unexpected. In February this year, more than $21 million worth tokens were stolen from 7 DeFi protocols. “Reentrancy, price oracle attacks, and exploits across seven protocols caused the DeFi space to bleed at least $21 million in crypto in February,” — notes Cointelegraph. Curve’s issue is also related to a ‘reentrancy’ issue.
There have been 18 documented attacks in DeFi protocols this year before Curve happened.
This begs the question: Why are DeFi protocols not strong enough to withstand these attacks? It may come down to the working of a DEX. Developers are usually in different time zones and don’t often interact the way they would in a centralized company. Given a trivial thing like not updating software versions can possibly provide a loophole to hackers, consistency in commitment and ability to follow unidirectional messages become key.
Another moot point: why are DeFi founders having exposure to high-risk loans predicated on the value of a token? Curve Finance could have absorbed (or lived with) the $60 million loss over time if not for the loans pegged to CRV assets.
Instead, they are offering a 10% bounty to the hackers to return their heist.
Key takeaway
DEXs are an important element of the crypto ecosystem. They have the potential to drive innovation, source analytics at a larger level as well as provide ways to seek alternate finance opportunities world over. However, they must work on a fix for some perennial issues — being vulnerable to hackers and market realities.
As this plays out, we urge our readers to not hold any assets from Aave or any other lending market that has exposure to CRV. To be doubly sure, it would be better to remove liquidity from all the crypto pools in Curve.
In general, a lot of centralized exchanges (CEXs), including Giottus, offer fixed rewards/returns comparable to that of DEXs — thereby obviating the need to use DEXs for these purposes.
While hardware wallets are the best to store your crypto, having a minor portion of your assets in hot wallets including in DEXs is understandable but do acknowledge the risks involved.
