DeFi Security Challenges

Decentralized Finance Under Attack: Challenges and Responses

Based on IntoTheBlock’s weekly newsletter. If you enjoy it, and would like to receive it every Friday make sure to sign up here!

This week, we cover the recent attacks on several crucial platforms that have left the decentralized finance (DeFi) sector in a state of turmoil. Over the weekend of July 29th, Curve Finance, a key decentralized exchange, fell victim to an attack. Approximately $50 million was stolen from four trading pools, one of them being one where CRV was trading. This event put pressure on CRV price, which affected some key positions on lending markets. These positions were close to being liquidated, until the CRV price stabilized afterward.

Network Fees — Sum of total fees spent to use a particular blockchain. This tracks the willingness to spend and demand to use Bitcoin or Ether

• August tends to be the most inactive period of the year for trading, and this could have impacted in the drop of fees for both blockchains
• Ethereum fees have dropped less probably due to the Curve turbulence among DeFi. This has forced several moves on very large positions among key DeFi protocols

Exchanges Netflows — The net amount of inflows minus outflows of a specific crypto-asset going in/out of centralized exchanges

DeFi Security Challenges

The hacking incident occurred due to a compiler bug in Vyper, versions 0.2.15, 0.2.16, and 0.3.0, which left numerous Curve factory stable pools, paired with ETH, susceptible to malfunctioning reentrancy locks. This bug severely compromised the security of these pools, with some of the primary targets being crv/eth, aleth/eth, mseth/eth, and peth/eth. It’s important to understand that Vyper is a smart contract programming language that closely resembles Python in its syntax. Created specifically to simplify and enhance the safety of writing smart contracts, Vyper has been embraced extensively by the Curve ecosystem. The type of attack, called a reentrancy attack is a common vulnerability that enables attackers to deceive a smart contract by executing multiple calls to a protocol, resulting in asset theft.

Source: IntoTheBlock’s CRV Indicators

Following the hack, CRV, the governance token of Curve, experienced a 21% price drop, causing turmoil within the community.

• Michael Egorov, the founder of Curve Finance, currently owes around $80 million in on-chain debts to various lending platforms.
• To reduce the risk of liquidation, the Co-Founder of Curve has opted to sell CRV tokens to prominent institutions through Over-The-Counter (OTC) transactions.
• By selling 72 million CRV tokens at a price of $0.40 each, Egorov managed to raise a minimum of $28.8 million. With this cash, he has been able to partially repay his debts to Aave, Abracadabra, FraxLend, and Inverse Finance, though not all of them have been fully settled.
• If the price of CRV drops to $0.368, it could create complications for Egorov on Aave, where he still owes a loan of approximately $50 million.

Source: IntoTheBlock Risk Radar Upcoming Curve Analytics

Total Value Locked (TVL) in Curve dropped from around $3.1 billion before the incident to $1.67 billion. While certain pools experienced withdrawals of liquidity, the major ones like stETH/ETH remained relatively stable with an average exit of around 20%. However, smaller pools like sETH/ETH witnessed a more substantial reduction, with approximately 50% of their liquidity being withdrawn.

• Undoubtedly, the situation could have been more severe. Interestingly, white-hat hackers intervened and managed to withdraw assets from certain pools on Curve, before they were drained.
• MEV (Maximal Extractable Value) played a role in preventing some of the attacks. An account under the pseudonym of Coffeebabe.eth was instrumental in reversing at least two of the malicious attacks by strategically placing transactions ahead of them.

Source: IntoTheBlock Risk Radar Upcoming Curve Analytics

Chainlink, the on-chain data provider, is garnering appreciation for its role in averting widespread collateral damage across the sector during the attack.

• If platforms such as Aave or other DeFi lending protocols had utilized the (now depleted) CRV/ETH Curve pool as an on-chain oracle, they would have suffered significant losses due to bad debt.
• Amid the panic, the lending and borrowing protocol Aave decided to deactivate its CRV borrowing function.

The recent series of attacks on several key platforms in the decentralized finance (DeFi) sector, notably including the high-profile hack on Curve Finance, has led to significant turmoil. The founder’s on-chain debts and the subsequent liquidation risks have prompted efforts to raise funds and mitigate this impact. White-hat hackers intervened to prevent some attacks and in addition Chainlink’s role in preventing sector-wide collateral damage has been praised. These incidents highlight the need for continuous vigilance and security enhancements in the DeFi space to safeguard user assets and maintain investor confidence.